FLIR FX / Lorex video stream hijack: Disclosure train wreck

We found that anyone could access any video stream for certain Swann wireless home security cameras. The technical detail is here.

It was a consequence of weak authorisation by the cloud service provider, Ozvision. They claim to provide the back end to ~3 million cameras, so we started looking at the other camera brands they service

We had a set of FLIR-FX cameras, so we started with these:

Within moments, we discovered that exactly the same serial switching technique worked. A hacker would have access to any camera video stream, though we tested it by switching serials between our own cameras.

Disclosure train wreck

Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.

You would have thought Ozvision would proactively fix all the other customer environment too, right? Nope…

We tried to contact FLIR / Lorex with limited success:

We knew they were aware of the issue, from the Depth Security blog and disclosure attempt. Read the end of this blog to see evidence that FLIR/ Lorex acknowledged the vulnerability report in October 2017.

The BBC then tried to get a statement from them to unpick why the cameras were still vulnerable. Here’s what they posted: https://help.lorextechnology.com/alert/potential-security-vulnerability-flir-fx-camera-models-fx-v101hw

ARE YOU HAVING A LAUGH?

Let’s address each point in turn:

It’s not a POTENTIAL vulnerability – it’s proven, trivial access to customers video feeds!

The camera is still on sale, even by FLIR themselves: https://www.flirsecure.com/flir-fx-wifi-security-camera/wifi-home-monitoring-camera-flir-fx/FXV101-H-1-p

• The random part of the serial is only 9 digits long. The serials for all cameras can be enumerated in about 3 days
• The URL is /stream1, found in the mobile app
• Er – free tools such as Burp and tools found in FLIR/Lorex own DVR software!

So we thought we would suggest a re-write of their press statement:

Here’s what we believe would be a more accurate version

So, even though it was FLIR branded equipment, available to buy today from FLIR branded online stores & developed by FLIR, they’ve tried to dismiss this as someone else’s problem. Wow.

Conclusion

I thought Swann came out of the video access issue fairly well. They addressed the issue very quickly and communicated with us well. Good on you, Swann!

Ozvision and FLIR/Lorex I think made themselves look pretty foolish. They clearly care more about their brand image than protecting their customers.

We’ve got more findings to publish in this area. I think we might refocus our efforts on the FLIR/Lorex cams instead of Swann…

If any other camera vendors use Ozvision cloud services, you would be well advised to check your systems before we get round to buying your product and checking for ourselves.