Peeping into baby rooms: Apexis and Sumpple smart camera database leak

[dfsdfgfkjsefoiqzemnd]

 

Hundreds of thousands of IoT cameras from Apexis and their daughter brand Sumpple, sold mostly on Amazon and cheap webshops like AliExpress and Wish, can be accessed by anyone thanks to a database leak. 

The info in the database consists of email addresses and passwords, which allows anyone to connect to any of the cameras in the database.  Apparently the camera's location data is also stored there, so it shouldn't be hard to find out which exact house you are spying on.

The big problem lies in the database itself, which is secured by a password that appears in most "bad password" lists (so probably "monkey123" or "123456").  The data inside the database is also stored unencrypted.

Once they enter the email address and password of a camera, intruders can control said camera, talk through the built-in speaker or simply watch and record the audio and video feed.

 

Quote

The passwords of many hundreds of thousands of worldwide users are stored unencrypted, making them easy to see. So no passwords need to be cracked to gain access to the smart cameras. The database also contains location data from the cameras.

The use of a strong password is not sufficient with the cameras from Apexis and Sumpple. The passwords, no matter how complicated, can simply be seen in the leaked data. Changing the password also makes no sense, because the new password is stored in the poorly secured database.

(quote translated from the original Dutch article)

 

 

 

This was discovered by hacker collective The Arcanum Group, who responsibly disclosed this to Apexis and Sumpple in early August.  Because neither company bothered to reply or even change the database's password, they have now gone public.

Apexis and Sumpple have been contacted by RTL News, the original source of the story, but both companies don't want to reply. 

 

Seeing as changing your password doesn't help, it looks like permanently unplugging the cameras is the only solution.

 

 

Source : RTL News (in Dutch, will add English sources later tonight when this story gets more international coverage)

English translation available at brica.de

 

This is really bad.  It looks like security really was an afterthought and the lack of response shows that they simply don't care.    

A lot of people who are not tech-savvy will have these cameras and never find out.  And then there will be those that use the same password for their email account ...

As Steve Gibson always says, the "S" in "IoT" stands for "Secure".

[Origami Cactus]

Now that is really bad.

One more reason to build your own security system instead of using a cheap chinese one.

[WereCatf]

4 minutes ago, Captain Chaos said:

As Steve Gibson always says, the "S" in "IoT" stands for "Security".

Well, shIOT!

[WereCatf]

2 minutes ago, Origami Cactus said:

Now that is really bad.

One more reason to build your own security system instead of using a cheap chinese one.

Chinaman-cameras themselves are usually perfectly fine, it's just the software that's bad. One option is to do like I do: either modify their firmware or just simply block their Internet-access and then use Zoneminder or similar instead to monitor them and to access remotely.

[brwainer]

28 minutes ago, WereCatf said:

Chinaman-cameras themselves are usually perfectly fine, it's just the software that's bad. One option is to do like I do: either modify their firmware or just simply block their Internet-access and then use Zoneminder or similar instead to monitor them and to access remotely.

That works for things like HikVision (I have exactly this setup: HikVision cameras denied access to the internet, and a ZoneMinder server) but these appear to be smart cameras, which you are supposed to access via the cloud. This type of camera often doesn’t have a locally accessible video stream.

[suicidalfranco]

the wonders of iot!

[Fnige]

why couldnt this just be local only

[That Franc]

I can't even

[Taf the Ghost]

I really need a "Home IoT is Evil" meme template. These types of massive security failures will hit nearly all of them, especially since most of the cheaper IoT devices don't allow for firmware upgrades.

[Salv8 (sam)]

pedos rn:

 

anyways this was going to happen, like hell i'm allowing IoT into my house.

also

17 hours ago, Taf the Ghost said:

I really need a "Home IoT is Evil" meme template

just put the eye of sauron on IoT devices and all it a day, that basically sums them up!

[Tech_Dreamer]

[Gegger]

how idiotic 

 

i mean idc if it's secure and in the cloud but IT'S NOT

[Andreas Lilja]

Do you even NEED that?