Wednesday, January 14, 2009

Rovio - mobile wifi-enabled survellience - "I can See and Hear you now!"

Why is it that I am unable to touch a new piece of technology without finding problems with it? Ok, so I've been around long enough to know that's just the unfortunate state of technology. Companies should at least consider a consult with outside security resources before releasing the next best thing. Getting a fresh set of eyes looking at something and you are guaranteed that you'll find something you overlooked that can be repaired before the market has to see it!

Such is the case with a "big kid" toy my wife decided to get me for Christmas, Rovio. In case you haven't seen it yet, Rovio is a very cool wifi-enabled robotic webcam. It has a built-in web server and you can drive it around your home from anywhere around the world, and see and hear what is happening at home. It's a great little combination of the latest technologies. Given that I like to experiment with new technologies, this was the perfect gift for me. I get to see what is the leading edge in consumer robotics and have a platform to do some research into where the technology can go.

Given that it was fairly new to the market, I expected it to have some bugs still, so I wasn't very surprised when I found them. What I was a little astonished to find was how exposed it makes you in it's default configuration. Ok, so being security minded I was a little hesitant about a wifi-enable robot with wheels, a microphone and camera joining my home network. So I gave it a short leash.

At first I was appalled that it tried to use UPnP to open up ports on my firewall. Of course I don't use UPnP (and neither should you), so that wasn't an issue for me, but non-the-less it shouldn't do that. The fact that it tries to do this by default though, was especially concerning since it doesn't require you to set any passwords if you don't want to.

After toying with the device over the holidays (talking to your wife, kids, dogs, fish, etc through a robot from one end of the house to the other is certainly amusing), I started to think about how secure this was going to be to use it across the internet. Suffice it to say, it didn't take long to recognize the answer, it clearly wasn't. First, all it is plainly apparent to anyone that the protocols used are clear text, HTTP, RTSP, HTTP-Basic authentication. However, even after enabling the basic credential capabilities it does have, I realized that hey, VLC still works to monitor the RTSP audio/video stream, without any credentials. Ah, and oh, look at all the other URLs you can get to that do not require any authentication. NOT GOOD.

Details of my findings are available in the advisory I published.

If you got one of these little devices, please do be careful with it, you never know who might be eavesdropping! If you can, tunnel/encrypt your traffic through a VPN, Proxy, SSH, etc.

Let's hope the next firmware addresses most of this.

Flashback: This issue brought back memories of people reading /dev/audio on multiuser SunOS machines -- anyone else remember when that lightbulb went off? :)