AOH :: HP Unsorted W :: VA2306.HTM

WowWee Rovio - Insufficient Access Controls - Covert Audio/Video Snooping Possible



WowWee Rovio - Insufficient Access Controls - Covert Audio/Video Snooping Possible
WowWee Rovio - Insufficient Access Controls - Covert Audio/Video Snooping Possible



SUMMARY

WowWee Rovio - Insufficient Access Controls - Covert Audio/Video
Snooping Possible

OVERVIEW

Rovio from WowWee does not adequately secure all accessible URLs or media
streams, enabling an unauthorized user with network access to the robotic
webcam platform the ability to listen to and view audio/video streamed from
the device's onboard camera.  Additionally, audio-send capabilities are also
not secured, enabling mischievous sending of audio through Rovio's built-in
speaker.  Additional manipulations may be possible, robot control does not
appear to be impacted at this time.

DESCRIPTION

>From WowWee Website:

     Rovio(tm) is the ground breaking new Wi-Fi enable mobile webcam that lets
     you view and interact with its environment through streaming video and
     audio, wherever you are!

Unfortunately, Rovio's access control mechanisms (username/password) are not
completely utilized across the platform even when enabled.  Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication.  Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.

Resources exposed without proper access controls include:

rtsp://[rovio]/webcam   -- RTSP Audio/Video Stream, directly accessible.

and the following http://[rovio]:[publishedport]/ URLs are accessbile to anyone: 

/GetUPnP.cgi            -- Get UPnP config, including ports in use for RTSP
/GetStatus.cgi          -- display general device status
/GetVer.cgi             -- display firmware version, enables targeted
                           attacks, discovery.
/ScanWlan.cgi           -- display WiFi Networks visible to device
/GetAudio.cgi           -- "Send" audio to Rovio's speaker, "What's up Doc?"
/GetMac.cgi             -- device mac adress
/Upload.cgi             -- upload new firmware [actual upload untested]
/GetUpdateProgress.cgi
/GetTime.cgi
/GetLogo.cgi
/GetName.cgi
/GetVNet.cgi
/description.xml
/cmgr/control
/cmgr/event
/cdir/control
/cdir/event
/Cmd.cgi                -- Accessible without arguments, but does not appear
                           to allow ACL bypass to normally protected
                           sub-commands.  Unknown if any hidden commands exist.

/SendHttp.cgi           -- When authentication is enabled, this appears to be
                           protected.  However in a default configuration with
                           no authentication, it could provide for interesting
                           reverse-proxy like manipulation of web-based
                           firewall admin interfaces.

                           Additionally, this script is used by the "Ping
                           Test" that WowWee sends to their servers to help
                           verify your internet connectivity and UPnP settings
                           are working.  What's disheartening here is that
                           your IP address and rovio's port are sent to WowWee
                           and potentially stored in their server logs.


ADDITIONAL ISSUES

Additionally, WowWee is advised that they should alter the default
configuration to not automatically utilize UPnP to attempt to open up external
access to these devices.

1) In the default configuration no authentication is required until the user
   sets up accounts.

2) Proper notification should be displayed to users regarding the potential
   risks and ramifications of these settings and they must be involved in the
   decision process, by being required to take action action to agree to
   expose such devices to external access.

Additionally, it should be noted that the platform uses HTTP Basic
authentication over unencrypted HTTP.  Using such mechanisms across the
internet does expose users to network-sniffing attacks, where an attacker
could obtain the credentials or observe the data streams being transmitted.

IMPACT

Users of this mobile wi-fi webcam may unwittingly open their homes up to
anonymous eaves-dropping of their personal lives and communications.

SOLUTION

WowWee must supply an updated firmware that fixes these issues.

WORKAROUND

Users of these devices are encouraged to disable direct external access and
seek other means to secure such access (Authenticated, Encyrpting Proxies, or
Access over a VPN connection for example).  It is understood that most
consumers of these devices do not have such means, so WowWee should be
compelled to provide adequate protection and access controls.

REFERENCES

http://www.simplicity.net/vuln/2009-01-Rovio-insecurity.html 
http://www.wowwee.com/en/products/tech/household/rovio 

CREDIT

This issue was discovered and disclosed by Brian Dowling of Simplicity
Communications.

HISTORY

2009-01-06 - Initial Report to WowWee support.
2009-01-07 - Second request to simply confirm reciept of my first notifciation.
2009-01-08 - Automated, canned response from web-submission form.
2009-01-14 - Due to lack of appropriate, timely response, additional insight
             contained above and general concern for users of these devices
             unknowingly being exposed in this way, this information has been
             publicly disclosed.  Hopefully as WowWee forays into more
             networked-enabled consumer devices they will provide proper
             channels and handling for vulnerability disclosure.

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.