Security researchers have identified several vulnerabilities in a line of Geeni devices, on sale at large retailers such as Walmart and Amazon, that includes smart doorbells and security cameras. Smart devices that include cameras will always attract more attention from security researchers because they present a greater risk when compromised. People often use them because of their affordability, so many customers could be exposed via any vulnerabilities.
Researchers from the Florida Institute of Technology in Melbourne, Florida, looked at Merkury/Geeni GNC-CW013, GNC-CW025, MI-CW024 doorbells and GNC-CW003, GNC-CW010, GNC-CW028, MI-CW017 cameras models. They found that attackers could gain privileged access to devices and listen to all audio and video recorded.
Unfortunately, most of these vulnerabilities are also found in many other IoT devices, which only shows that manufacturers don’t really learn from others’ mistakes. In one situation, the researchers found a remote telnet with a static credentials vulnerability. In another, an undocumented account with static credentials.
The researchers reported the vulnerabilities to MITRE and the vendor in November of 2020, but they say nothing about the manufacturer’s response. They respected the usual 90-day disclosure timeline, but the vulnerabilities apparently haven’t been fixed.
However, they did offer some advice to the manufacturer on how to correct most issues, including closing Telnet access, disable the RESTful API, remote the apexis account, recode the rstpd instructions, and stop the rtspd from delivering a telnet session using the apx console.
Customers looking to buy a new camera or doorbell should check the brand’s history and see if the manufacturer closes vulnerabilities when reported. While some devices might seem a lot cheaper than others, there’s usually a good reason for it.