SUMMARY WowWee Rovio - Insufficient Access Controls - Covert Audio/Video Snooping Possible OVERVIEW Rovio from WowWee does not adequately secure all accessible URLs or media streams, enabling an unauthorized user with network access to the robotic webcam platform the ability to listen to and view audio/video streamed from the device's onboard camera. Additionally, audio-send capabilities are also not secured, enabling mischievous sending of audio through Rovio's built-in speaker. Additional manipulations may be possible, robot control does not appear to be impacted at this time. DESCRIPTION <em class="quotelev1">>From WowWee Website:</em> Rovio(tm) is the ground breaking new Wi-Fi enable mobile webcam that lets you view and interact with its environment through streaming video and audio, wherever you are! Unfortunately, Rovio's access control mechanisms (username/password) are not completely utilized across the platform even when enabled. Certain URLs and RTSP Streaming capabilities of the device are accessible with no authentication. Furthermore, deployment of the device in the default configuration attempts to use UPnP to automatically configure your firewall to allow external access to the mobile webcam platform. Resources exposed without proper access controls include: rtsp://[rovio]/webcam -- RTSP Audio/Video Stream, directly accessible. and the following http://[rovio]:[publishedport]/ URLs are accessbile to anyone: /GetUPnP.cgi -- Get UPnP config, including ports in use for RTSP /GetStatus.cgi -- display general device status /GetVer.cgi -- display firmware version, enables targeted attacks, discovery. /ScanWlan.cgi -- display WiFi Networks visible to device /GetAudio.cgi -- "Send" audio to Rovio's speaker, "What's up Doc?" /GetMac.cgi -- device mac adress /Upload.cgi -- upload new firmware [actual upload untested] /GetUpdateProgress.cgi /GetTime.cgi /GetLogo.cgi /GetName.cgi /GetVNet.cgi /description.xml /cmgr/control /cmgr/event /cdir/control /cdir/event /Cmd.cgi -- Accessible without arguments, but does not appear to allow ACL bypass to normally protected sub-commands. Unknown if any hidden commands exist. /SendHttp.cgi -- When authentication is enabled, this appears to be protected. However in a default configuration with no authentication, it could provide for interesting reverse-proxy like manipulation of web-based firewall admin interfaces. Additionally, this script is used by the "Ping Test" that WowWee sends to their servers to help verify your internet connectivity and UPnP settings are working. What's disheartening here is that your IP address and rovio's port are sent to WowWee and potentially stored in their server logs. ADDITIONAL ISSUES Additionally, WowWee is advised that they should alter the default configuration to not automatically utilize UPnP to attempt to open up external access to these devices. 1) In the default configuration no authentication is required until the user sets up accounts. 2) Proper notification should be displayed to users regarding the potential risks and ramifications of these settings and they must be involved in the decision process, by being required to take action action to agree to expose such devices to external access. Additionally, it should be noted that the platform uses HTTP Basic authentication over unencrypted HTTP. Using such mechanisms across the internet does expose users to network-sniffing attacks, where an attacker could obtain the credentials or observe the data streams being transmitted. IMPACT Users of this mobile wi-fi webcam may unwittingly open their homes up to anonymous eaves-dropping of their personal lives and communications. SOLUTION WowWee must supply an updated firmware that fixes these issues. WORKAROUND Users of these devices are encouraged to disable direct external access and seek other means to secure such access (Authenticated, Encyrpting Proxies, or Access over a VPN connection for example). It is understood that most consumers of these devices do not have such means, so WowWee should be compelled to provide adequate protection and access controls. REFERENCES http://www.simplicity.net/vuln/2009-01-Rovio-insecurity.html http://www.wowwee.com/en/products/tech/household/rovio CREDIT This issue was discovered and disclosed by Brian Dowling of Simplicity Communications. HISTORY 2009-01-06 - Initial Report to WowWee support. 2009-01-07 - Second request to simply confirm reciept of my first notifciation. 2009-01-08 - Automated, canned response from web-submission form. 2009-01-14 - Due to lack of appropriate, timely response, additional insight contained above and general concern for users of these devices unknowingly being exposed in this way, this information has been publicly disclosed. Hopefully as WowWee forays into more networked-enabled consumer devices they will provide proper channels and handling for vulnerability disclosure.