Pierluigi Paganini December 29, 2018

A vulnerability in the Guardzilla home video surveillance system could be exploited by users to watch Guardzilla footage of other users.

The Guardzilla All-In-One Video Security System is an indoor video surveillance solution. The flaw was discovered by the researchers Nick McClendon, Andrew Mirghassemi, Charles Dardaman, INIT_6 and Chris, from 0DayAllDay, the issue was reported to the vendor by Rapid7.

“During the 0DAYALLDAY Research Event a vulnerability was discovered (CVE-2018-5560) in the Guardzilla Security Video System Model #: GZ521W.  The vulnerability lies within the design and implementation of Amazon Simple Storage Service (S3) credentials inside the Guardzilla Security Camera firmware.” read a post published by 0dayallday.org.

“Accessing these S3 storage credentials is trivial for a moderately skilled attacker. “

The bad news is that the vendor hasn’t yet addressed the flaw.

discovered that the GZ501W camera model contains a shared, hard-coded credential for Amazon S3 backed used as a storage of footage.

“The Guardzilla IoT-enabled home video surveillance system contains a shared Amazon S3 credential used for storing saved video data. Because of this design, all users of the Guardzilla All-In-One Video Security System can access each other’s saved home video.” reads the analysis published by Rapid7.

“This issue is an instance of CWE-798: Use of Hard-coded Credentials. It has a CVSSv3 base score of 8.6, since once the password is known, any unauthenticated user can collect the data from any affected system over the internet.”

This means that any user of the Guardzilla All-In-One Video Security System could access other’s saved home video because the system uses the same password. Any unauthenticated user can collect the data from any of the systems exposed online if knowing the storage details.

“Embedded S3 credentials have unlimited access to all S3 buckets provisioned for that account,” continues the analysis. “This was determined through static analysis of the firmware shipping with the device. Once the firmware was extracted and the root password ‘GMANCIPC’ was cracked, the Amazon S3 access key was recovered.”

An attacker can connect to the Amazon S3 account and access the various buckets associated with the service by using the access keys recovered from the firmware.

Waiting for a patch, users should ensure that cloud-based data storage functions of the device are not enabled.

Pierluigi Paganini

(SecurityAffairs – Guardzilla, IoT)

[adrotate banner=”5″] [adrotate banner=”13″]