Attackers might use security flaws in Nooie baby monitors to access video streams or execute malicious code on susceptible devices. Bitdefender researchers obtained remote code execution (RCE) capabilities on two variants of Nooie’s Baby Cam newborn monitoring devices. Other devices in the same range may also be susceptible, although this has yet to be proven.
The Nooie Cam app has between 50,000 and 100,000 downloads on the Google Play Store, indicating that the technology is extensively used. Bitdefender’s researchers have discovered four different flaws. The first vulnerability was a stack-based buffer overflow or memory corruption flaw that might allow remote code execution. The weakness, CVE-2020-15744, is a significant one.
Another vulnerability allows attackers to access an arbitrary camera’s RTSPS (audio-video) stream. To announce the status of IoT devices and receive a URL location connected to RTSPS audio/video streams for each unique IoT device, Nooie’s baby cams use the MQTT protocol.
According to Bitdefender’s research, the MQTT server that manages feeds does not need authentication, allowing a prospective attacker to subscribe to a feed and obtain IDs for every device as it comes online. Nooie’s baby cams use Amazon Web Services (AWS) to save recordings in the cloud. Each device has its own set of credentials, but potential attackers may easily access this information.
“An attacker can easily spoof the camera and forge a request on its behalf and gain illicit access to the credentials,” as stated by Bitdefender. “The only prerequisites are the IDs leaked on the MQTT server (uuid and uid). After gaining access to the credentials, they can access the camera’s stored recordings.”
In November 2020, Bitdefender privately exposed several vulnerabilities, followed by proof-of-concept code and requests for an update on fix development status. Bitdefender went public with knowledge of the vulnerabilities and offered mitigations this month after failing to hear anything significant from the vendor, as described in a technical blog post. Meanwhile, Nooie has been unable to respond to Bitdefender’s study or assist buyers of impacted baby cams after being asked to do so.
