Remote code execution flaw allowed hijack of Motorola Halo+ baby monitors
15 September 2021 at 15:53 UTC
Updated: 15 September 2021 at 15:56 UTC
Expectant parent finds severe security problems in his new baby monitor
Remote code execution (RCE) and comms protocol vulnerabilities that would have allowed baby monitors to be hijacked have been discovered and resolved.
On Tuesday, cybersecurity researcher Randy Westergren published his findings on the security posture of the Motorola Halo+, a popular baby monitor.
Westergren, whose day job is as the engineering director of US financial services company Marlette Funding, and his wife were expecting their first child and so went hunting for a suitable monitor, selecting the Motorola Halo+ as their preferred option.
The Motorola Halo+ features an over-the-crib monitor, a handheld unit for parents, and a Wi-Fi-connected mobile application to monitor children, and their environment, in Full HD. The researcher decided the set-up “deserved a closer look”.
It was a matter of hours before Westergren discovered a pre-authentication RCE security flaw and the means to obtain a full root shell.
Westergren began by examining the device’s listening services and reverse-engineering the monitor’s Android app, Hubble Connected for Motorola Monitors.
Hubble Connected pulls information beyond simply the monitor’s camera feed and presents it in the user’s display. This data includes room temperature, night lights, and the status of the monitor’s light show projector.
By examining system logs alone, it was possible to find the app’s API requests to gather this information, many of which involved services that interacted with Hubble’s cloud platform.
The researcher also examined HTTP-based communication and how the app’s local API operated. Westergren was able to use local API commands to find and lists, as well as “value” parameters that would accept user input, “potentially leading to RCE if not properly sanitized,” he explained.
Westergren then created a reboot shell injection payload and performed the ‘set_city_timezone’ action in the device, forcing an immediate restart and obtaining shell access in the process.
In addition, the researcher also came across a bug in the implementation of the IoT messaging standard MQTT. Westergren found that the client was configured to subscribe to #and $SYS/# by default, which reduced access control security levels among Hubble devices.
“A number of command[s] result from various devices,” the researcher noted. “Though I did not attempt this, I think it was very likely that a client could easily control the entire device fleet by publishing arbitrary commands.”
While the product appears under the Motorola Mobility brand, its manufacturing unit was acquired in 2014 by Lenovo.
Westergren said that once the initial report was made to Lenovo’s security team on April 9, they were quick to respond. By April 16, Lenovo had confirmed the issues and began working on security fixes.
The first set of patches were incomplete, however, and the tech giant said there would be further delays, as “we have opened additional requirements to our licensee for this product to resolve this issue, which has added some complexity”.
Both the RCE and MQTT problems have now been patched, in firmware versions 03.50.06 and 03.50.14, respectively.
The baby monitor’s RCE vulnerability has been assigned as CVE-2021-3577, whereas the MQTT credentials issue is now tracked as CVE-2021-3787.
The Daily Swig has reached out to Lenovo for comment. We will update this story as and when we hear back.
YOU MAY ALSO LIKE Credential leak fears raised following security breach at Travis CI