A popular home security device made by Guardzilla contains a security vulnerability that could make it possible for outsiders to access video recordings, according to research published Thursday.
Guardzilla’s indoor wireless security system, the GZ501W, contains hardcoded security keys rendered vulnerable by an outdated algorithm that TechCrunch reports is easy to crack. Hackers can use those keys to log on to Guardzilla’s storage servers at Amazon Web Services to access data uploaded by customers, according to the new findings. Researchers from 0DayAllDay released their findings Thursday after notifying Guardzilla to the vulnerabilities in September and receiving no response.
[W]e’re publishing this [Thursday], which happens to be right about 60 days after our first disclosure to the vendor of this video camera,” Tod Beardlsey, research director at Rapid7, explained in blog post. Rapid7 was involved in the research.
“Unfortunately, despite multiple efforts at coordination with the vendor, we haven’t heard back from them at all,” the blog reads.
Guardzilla did not respond to a request for comment from CyberScoop.
TechCrunch reported that a representative for Guardzilla’s registered agent said the “accusations are false” without providing detail or answering follow-up questions.
Researchers advised users to wait for a security a patch that will fix the flaw. Without a patch, device-owners should ensure that the cloud-based data storage functions of the devices are not enabled.
Hardcoded passwords remain a problem in many inexpensive connected devices. Hackers have programmed malicious software to automatically guess hardcoded passwords to infiltrate and take control of devices without the owner’s knowledge or permission. Such passwords allow cybercriminals to launch distributed denial-of-service attacks, which have knocked websites as popular as Spotify and Netflix offline in recent years.
The flaw allowing unauthorized access to data stored in the cloud is not the only Guardzilla vulnerability reported Thursday. Among the other issues were several known security bugs regarding the company’s ongoing use of an OpenSSL encryption library that was widely abandoned years ago, according to TechCrunch.