Guardzilla’s top-selling indoor wireless security system uses hardcoded keys to upload video recordings to the company’s AWS’ storage servers. Because the device’s root password is protected using a decade-old algorithm that’s easily breakable today, these keys can be easily extracted, said the researchers. Not only would this allow anyone to access the data uploaded from the hacked device, but they will also be able to fully access the company’s cloud storage.
“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Rapid7’s research director, who helped coordinate the release of the researchers’ findings. It took two off-the-shelf consumer graphics cards and just three hours to decrypt the eight-letter password protecting the affected Guardzilla device’s firmware that ships with each device, the researchers told. They could even obtain the keys as they were buried in the code itself.
Changing the keys on the server may not be enough to fix this vulnerability. Guardzilla will also have to roll out a software patch for every affected device. “That’s a pretty significant change, but it’s just about the only way to avoid this kind of problem,” Beardsley said.
The storage servers still remain vulnerable, even after the researchers privately emailed the company regarding the issue. A renowned news publication reported the same and Guardzilla doesn’t seem to have acknowledged the warnings.