What are we buying? A wifi baby camera. Will it be secure?

Armed with $20 and an interest in learninghacking, I visited Canada Computers today to see what 'extended boxing week sale' they had. And lo and behold, it was this. A Trendnet WiFi HD Baby Cam TV-IP745SIC. $19. Sweet. Since this is designed to be in your home, monitoring your baby, with bidirectional audio, and cloud access, they must have taken pains to secure it right? They go to great pains to explain 'designed in USA' so one cannot use the convenient 'but insecure consumer gadget china...' argument if not.

It arrived with firmware 1.0.0 (always ominous!), dated 2014/1/ 03:32:55, build number 4521.

(The conclusions are at the end, hint: the cloud has no security, buy this if you want random people to see, hear, and talk to your kids while you are not around).

Presented with a forced-change of password, which must be 8-16 characters, I chose admin123 (7 characters), and it worked. Hmm.

It appears a plugin is required.  As you might expect, the link is to a Windows MSI file (stored on the device).

Now the attempt at security is, although not exactly life-support-on-space-mission strong, still reasonable for a home device that is not internet-facing. By default it requires auth on http/rtsp/snapshots.

If we open vlc to it (vlc rtsp://192.168.30.30/play1.sdp), we get live video, with the *highest* quality of lens! We can also get a jpeg snapshot from http://192.168.30.30/image/jpeg.cgi.

If we hit the 'play/pause' button on the top, it starts to play some music-box-dancer piano song. Nice.

The default UPnP setup is enabled for discovery, but not opening the firewall. So far so good.

The default WiFi is direct, enabled, no auth, not too happy about that:

The device has a mode where it can save video to an SD card. And it conveniently will serve those files over its web interface for you.

It has sound detection, so you can cause an alert when something occurs (as well as motion and temperature).

Interestingly it has 4 profiles for RTSP, about 3 more than I figured it would have.

OK, enough looking at it in the 'no internet mode', time to do some captures and let it loose on the world. It gives me a URL (http://85945000.cam.trendnetcloud.com/), which is *my* cloud URL for it. As soon as the device hits the internet, this becomes live. Sadly:

Browser Compatibility Notice

The browser version you are using (Google Chrome 63.0.3239.84) is not supported by the TRENDnet Cloud service. If you are using a mobile device, please download the TRENDnet CloudVIEW mobile app. You can also use one of the following browsers on your computer to view your camera: 

Internet Explorer (Windows desktop version only): IE9.0 to IE11.0
Safari (Mac version only): 5.1.7
Firefox: version 22.0 to 37.0
Google Chrome (Windows desktop version only): version 28.0 to 40.0

is what it has to say. Boo. I have firefox 58 (which is bigger than 37), and chrome on linux only.
OK, so I open it on my phone. And WTF, it redirects to trendcloud.com, which is owned by a domain squatter! Yes, I could buy it.
OK, while that sinks in, lets look at the capture file. Helpfully it talks to AWS without encryption, and passes its cloud credentials in the clear. Even more helpfully these cloud credentials are hard-coded to the device. Nice touch. It does a POST to /enable.html with its key.
Coming back to the cloud URL, the capture suggests the correct one is lbcam.trendnetcloud, not cam.trendnetcloud.com. Hmm. Specifically http://85945000.lbcam.trendnetcloud.com/. Lets try that. OK good, the phone at least agrees that this is 'incompatible with modern browsers'. Trying a 'user agent switcher', i am presented with an option to install a windows executable in each case, no good.
OK, so I broke down and booted a windows VM. And Installed the 'InstallTRENDnetCloud2' msi. But it just keeps saying "did you install the plugin"? If I say yes, it says restart the browser. If i say no, it says to install. I guess because Chrome and ie are too new. Hmm. OK, install an old version of Firefox. And boom, i'm in, and watching myself.
So yes, even though I did not open my firewall, the default mode of operation is to allow anyone to see/hear/speak through my device, through my firewall, through their cloud. Interestingly from the cloud (external web interface) I can also upload new firmware directly. And since there is no use of TLS on either side (the camera to cloud, or web to cloud) the password is passed in the clear each way. Great.
Yes, sure enough, on each end, the info is passed in the clear. You can see it below:
GET /users/stream_info.cgi HTTP/1.1
Host: 10.255.254.94
Referer: http://10.255.254.94:80/users/stream_info.cgi
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)

HTTP/1.1 401 Unauthorized
WWW-Authenticate: Digest realm="nipca", nonce="9261151863c4390bb053da7f837a6790c20010ac", qop="auth"
Content-Type: text/html
Content-Length: 91
Date: Sat, 30 Dec 2017 20:47:26 GMT
Server: dcs-lig-httpd
Unauthorized
Please enter correct account/password.

GET /users/stream_info.cgi HTTP/1.1
Host: 10.255.254.94
Referer: http://10.255.254.94:80/users/stream_info.cgi
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 5.0)
Authorization: Digest username="admin", realm="nipca", qop="auth", algorithm="MD5", uri="/users/stream_info.cgi", nonce="9261151863c4390bb053da7f837a6790c20010ac", nc=00000001, cnonce="ad9d46c392d98dc66a33d083ec62b770", response="fa5c5c9fe59c8787cc74a35c2c883099"

HTTP/1.1 200 OK
 ...

OK, so what did we learn?

An attempt was made to secure the device locally. If it had no internet access, this would have been in the realm of 'normal' for such consumer devices.

The cloud interface is not secure. It makes no particular attempt.

The cloud interface bypasses your firewall. Without even using the port-forwarding. The device connects outbound, and allows things inbound on this, bridged in their cloud app.

No encryption is used, and hard-coded credentials.

Conclusion: buy this if you want random people to be able to see, hear, and talk, to your kids when you are not around. $20 well spent.

Tagged with: , ,
4 comments on “What are we buying? A wifi baby camera. Will it be secure?
  1. db Jason Chu says:

    First off, great post, saves me time from doing my own digging.

    Looking at the date of your review post, the 1.0.3 firmware should already be out.
    Did you update the firmware prior to the testing?

    I’ve recently gotten one, though not for the purpose of baby monitoring, but for its temperature alert. (similar smart home temperature alert devices costs like 3-4x this camera!)

    Digging around with the latest firmware, I do see options for disabling the cloud service, not sure if that option was available in the 1.0.0. Though I haven’t tested whether the camera will attempt to talk to outside with the cloud service disabled, having that option there is reassuring.

    So I do think this camera could be “secure” (note I have quotes on that word), if you set it up properly.

    P.S. A tip on using the older Firefox version, for Windows users, you could install FireFox Portable in older versions. This is very common issue with many ip cameras.

    • db db says:

      google ‘esp8266’ or ‘esp32’ and you will fall in love for temperature monitoring etc, and never bother with these junk again 🙂

      And then you’ll run ‘mqtt’ using ‘mosquitto’ and then HomeAssistant… And after a bit you might realise you have a problem!

      I tried the testing as-is from the box and w/ the most current sw @ the time.

      pps this this was one terrible optical quality camera.

      egress firewalls for the win!

      • db Jason Chu says:

        Interesting!
        But those are more in the DIY/tinkering realm.
        I shall take a look into them when I have more time.

Leave a Reply

Your email address will not be published. Required fields are marked *

*