SUMMARY
WowWee Rovio - Insufficient Access Controls - Covert Audio/Video
Snooping Possible
OVERVIEW
Rovio from WowWee does not adequately secure all accessible URLs or media
streams, enabling an unauthorized user with network access to the robotic
webcam platform the ability to listen to and view audio/video streamed from
the device's onboard camera. Additionally, audio-send capabilities are also
not secured, enabling mischievous sending of audio through Rovio's built-in
speaker. Additional manipulations may be possible, robot control does not
appear to be impacted at this time.
DESCRIPTION
<em class="quotelev1">>From WowWee Website:</em>
Rovio(tm) is the ground breaking new Wi-Fi enable mobile webcam that lets
you view and interact with its environment through streaming video and
audio, wherever you are!
Unfortunately, Rovio's access control mechanisms (username/password) are not
completely utilized across the platform even when enabled. Certain URLs and
RTSP Streaming capabilities of the device are accessible with no
authentication. Furthermore, deployment of the device in the default
configuration attempts to use UPnP to automatically configure your firewall to
allow external access to the mobile webcam platform.
Resources exposed without proper access controls include:
rtsp://[rovio]/webcam -- RTSP Audio/Video Stream, directly accessible.
and the following http://[rovio]:[publishedport]/ URLs are accessbile to anyone:
/GetUPnP.cgi -- Get UPnP config, including ports in use for RTSP
/GetStatus.cgi -- display general device status
/GetVer.cgi -- display firmware version, enables targeted
attacks, discovery.
/ScanWlan.cgi -- display WiFi Networks visible to device
/GetAudio.cgi -- "Send" audio to Rovio's speaker, "What's up Doc?"
/GetMac.cgi -- device mac adress
/Upload.cgi -- upload new firmware [actual upload untested]
/GetUpdateProgress.cgi
/GetTime.cgi
/GetLogo.cgi
/GetName.cgi
/GetVNet.cgi
/description.xml
/cmgr/control
/cmgr/event
/cdir/control
/cdir/event
/Cmd.cgi -- Accessible without arguments, but does not appear
to allow ACL bypass to normally protected
sub-commands. Unknown if any hidden commands exist.
/SendHttp.cgi -- When authentication is enabled, this appears to be
protected. However in a default configuration with
no authentication, it could provide for interesting
reverse-proxy like manipulation of web-based
firewall admin interfaces.
Additionally, this script is used by the "Ping
Test" that WowWee sends to their servers to help
verify your internet connectivity and UPnP settings
are working. What's disheartening here is that
your IP address and rovio's port are sent to WowWee
and potentially stored in their server logs.
ADDITIONAL ISSUES
Additionally, WowWee is advised that they should alter the default
configuration to not automatically utilize UPnP to attempt to open up external
access to these devices.
1) In the default configuration no authentication is required until the user
sets up accounts.
2) Proper notification should be displayed to users regarding the potential
risks and ramifications of these settings and they must be involved in the
decision process, by being required to take action action to agree to
expose such devices to external access.
Additionally, it should be noted that the platform uses HTTP Basic
authentication over unencrypted HTTP. Using such mechanisms across the
internet does expose users to network-sniffing attacks, where an attacker
could obtain the credentials or observe the data streams being transmitted.
IMPACT
Users of this mobile wi-fi webcam may unwittingly open their homes up to
anonymous eaves-dropping of their personal lives and communications.
SOLUTION
WowWee must supply an updated firmware that fixes these issues.
WORKAROUND
Users of these devices are encouraged to disable direct external access and
seek other means to secure such access (Authenticated, Encyrpting Proxies, or
Access over a VPN connection for example). It is understood that most
consumers of these devices do not have such means, so WowWee should be
compelled to provide adequate protection and access controls.
REFERENCES
http://www.simplicity.net/vuln/2009-01-Rovio-insecurity.html
http://www.wowwee.com/en/products/tech/household/rovio
CREDIT
This issue was discovered and disclosed by Brian Dowling of Simplicity
Communications.
HISTORY
2009-01-06 - Initial Report to WowWee support.
2009-01-07 - Second request to simply confirm reciept of my first notifciation.
2009-01-08 - Automated, canned response from web-submission form.
2009-01-14 - Due to lack of appropriate, timely response, additional insight
contained above and general concern for users of these devices
unknowingly being exposed in this way, this information has been
publicly disclosed. Hopefully as WowWee forays into more
networked-enabled consumer devices they will provide proper
channels and handling for vulnerability disclosure.