Access to Doorbell Cameras Can Be Maintained Even After a Password Change, Florida Student Discovers

A recent study showed that when it comes to online accounts, users aren't that keen on changing their passwords, even when there's evidence that their login data may have been compromised. They're clearly not especially familiar with the potential dangers associated with this, and many of them have adopted the 'it won't happen to me' mentality.

If security cameras installed in their homes are concerned, however, they'll probably be a lot more careful. The potential impact on a person's privacy is much more obvious, and the users are likely to be more conscious of the consequences, which means that they'll use all access control tools they have to ensure that their cameras are not accessible to outsiders. Another academic research paper, however, shows that this could be a lot harder than it seems.

When it comes to IoT cameras, a changed password doesn't necessarily mean revoked access

The study was carried out by Blake Janes, a student at the Florida Institute of Technology, and it's based on a very plausible scenario. Imagine a couple called Alice and Bob, who live in a house equipped with internet-connected security and doorbell cameras. Both have access to the live feed from the cameras and can control them. At one point, however, the two split, and Bob moves out. Alice wants to ensure that Bob no longer has access to the surveillance devices, which is why she changes the cameras' passwords or use other available tools to ensure that only she can see the stream. What Blake Janes found out is that with many modern cameras, Bob will be able to access the video stream even after the password change.

Janes took 19 of last year's most popular internet-connected cameras, and he conducted not one but two experiments. First, he tried restricting access to the cameras by changing the passwords but found out that only 3 of the 19 devices locked Bob out immediately. Some of the video streams remained available for more than 30 minutes after the password change, and 4 of the cameras even left Bob with administrative rights to control the devices.

The second scenario involved completely revoking Bob's account. 13 of the 19 cameras support multiple accounts, and they all failed to immediately cut Bob's access to the feed. Eight of them remained open for more than 30 minutes.

It's not a vulnerability, it's a design flaw

The authentication mechanism with these devices is rather complex. When Bob logs into his account, he connects to the manufacturer's API server. From there, he receives a token that lets him access the camera's stream hosted on another server. When Alice changes the camera's password or revokes Bob's account, she cuts his access to the API server, which means that Bob can't get a new token. He already has one, however, and in some cases, it remains valid for quite a while.

The main problem lies with the token's lengthy expiration, though Blake Janes points out other issues like a lack of notification when it comes to who is accessing the devices and relaxed access control policies of the servers themselves. The experiment showed that Google's Nest cameras suffer from the same issues, which is why Janes received a little over $3,000 as a part of the search engine giant's bug bounty program.

When you read his research paper, however, you'll be left with the impression that this is not a bug, but a conscious design decision. The token's lengthy expiration takes some pressure off the servers and eliminates the need to enter usernames and passwords all the time. According to the paper, the apps don't display constant access notifications in order to reduce what's known as warning fatigue. In other words, all these flaws are the result of the vendors' attempt to make the devices more user-friendly.

It's yet another triumph of usability over security. This time, however, it concerns devices that are supposed to keep us and our privacy safe, which is why some of the vendors are already working on the problems highlighted by Blake Janes' research. Here's hoping that they'll find solutions soon.