IZON IP Cameras Riddled With Security Flaws 55
An anonymous reader writes "With recent action by the FTC against TRENDnet, the 'Internet of Things' has taken a sharp turn in the eyes of the public and government with regard to security. This week, Duo Security employee Mark Stanislav presented security research he did on the IZON IP camera from Stem Innovation. Through his testing, Mark found hardcoded credentials for Linux accounts (accessible by Telnet; Yes, — really), an undocumented web interface allowing for viewing a camera's stream (also with hardcoded credentials, user/user), and a variety of other failings including a lack of cryptography in most of the camera's functionality, including when uploading videos to Amazon Web Services's S3 storage." According to the above-linked article, "Contacted by The Security Ledger, Stem Innovation CTO Matt McBeth said that the IZON firmware, server system and iOS applications tested by Stanislav have since been updated, and that the research contains “inaccurate and misleading information.” Stem did not provide specific information about any inaccuracies."
Farmed Out Too Much Code? (Score:5, Interesting)
I'll be generous and guess that IZON farmed out too much of their software development to ... wherever. Perhaps the company's principals are more hardware oriented, but it's interesting that they're now advertising for an iOS team lead.
Obvious, and products are always like this. (Score:5, Interesting)
Re:Product X has security flaw... (Score:4, Interesting)
A back door is not a security flaw. It's there by design not by accident.
A backdoor is a security flaw if
a) the owners are not told that it is there (or)
b) the owners can not turn it off (or)
c) if the FTC says it is.
There are (deliberately vague) promises about security made on the IZON site.
IZON lets you watch & listen from anywhere, with secure access to the IZON video stream.
To not reveal a backdoor account has already been found by the FTC (see first link) as a violation which
gets you 20 years worth of monitoring: Per the FTC in the TrendNet case:
The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.