The IZON surveillance camera sold in Apple Stores and Best Buy outlets is filled with security holes that enable a hacker to easily commandeer the device, a security researcher said.

Mark Stanislav, security evangelist for two-factor authentication platform vendor Duo Security, started investigating the camera after buying the Wi-Fi device for his home and discovering it was configured, so anyone could access the device if it’s on the Internet.

Stanislav’s findings, presented this week at the Rochester Security Summit in Rochester, N.Y., were startling. With only an IP address for the device, a person could log into the Web interface of any IZON camera, using the default user name and password, which was “user” for both, Stanislav said.

Once logged in, a person could view everything the camera sees within the home. Stanislav found the credentials hardcoded in the camera manufactured by Stem Innovation. The IZON is managed through an iPhone or iPad mobile app available for free on Apple’s App Store.

Stem Innovation did not respond to requests for comment. Within the mobile app, Stanislav found the hardcoded credentials for administration privileges, which means a person could set alerts and make other configuration changes.

The camera has a motion and an audio sensor that can be turned on when people are away from their homes. The purpose of the credentials stored in the app is to perform firmware updates. […]

Source www.csoonline.com