Exclusive: Maximus Answer DualCam Video How safe is the doorbell?

Exclusive: Maximus Answer DualCam Video How safe is the doorbell?

Maximus Answer DualCam is one of the best video doorbells available. But while DualCam may be great at protecting packages, how good is it at protecting data?

As part of a partnership with Tom's Guide, security firm Bitdefender analyzed the Maximus Answer DualCam video doorbell, which Tom's Guide reviewed in 2020 Bitdefender, examined the video doorbell's network communications and internal software and hardware, and its research report found that overall the video doorbell's security is quite good.

The only major vulnerability was the lack of server authentication in two instances. Video Doorbell did not verify the Amazon Web Services data "bucket" into which it uploaded video feeds and logs. It also did not authenticate the servers that download firmware updates.

These network communications are sent using the normal HTTPS web protocol, not the OpenVPN protocol used to process commands from the smartphone app to the video doorbell.

This flaw could, at least in theory, lead to a man-in-the-middle attack if an attacker already on the doorbell owner's home Wi-Fi network could force the doorbell to accept a fake HTTPS certificate and intercept the upload.

"As a result, an attacker in between the camera and the server could intercept uploaded logs and recordings," the Bitdefender report states.

In other words, your pesky neighbor could intercept your video feed in this way. To protect yourself from such an attack, try to use strong, unique passwords when accessing your home Wi-Fi network, even though it may be unlikely.

As for the log files, "They do not contain sensitive information that could be useful to an attacker. Most messages are about the camera's functionality.

As part of the log file, "the surrounding Wi-Fi network, its MAC address, and the current network name are sent," but "the current network password is not sent."

Hacking doorbells with fake firmware updates, a common method of attacking smart home devices, is very difficult with the Maximus Answer DualCam for several reasons.

First, the web address (URL) of the update server appears to be hard-coded into the firmware of the Maximus Answer DualCam video doorbell, and changing the server address requires root access.

Next, Bitdefender reports that "the attack requires knowledge of both the ta.key file (which authenticates the TLS connection) and how to trick the camera into connecting to the rogue server."

At least in theory, an attacker could probably "spoof" the Maximus server by setting up a rogue Wi-Fi hotspot and having the doorbell connect to it. Then, by contaminating the DNS files of the rogue hotspot, they can redirect queries for the server URL and have the attacker's machine accessed as the "server" instead.

Third, the doorbell's Wi-Fi network connection can only be configured or modified via Bluetooth using the Kuna companion app on the owner's smartphone.

The Kuna app sends the doorbell's serial number and random data ("nonce" in cryptographic terms) to the Maximus server. The server replies with a token (consisting of a "hashed" version of the nonce and a secret code) that authenticates the video doorbell, giving the doorbell local Wi-Fi access credentials obtained from the owner's Kuna smartphone app.

"A Bluetooth connection can be established at any time to change Wi-Fi networks, but only the camera owner can initiate it.

"If an attacker wants to modify the network, he needs either a secret to create a token or a token provided by the server. The secret is unknown and the server only sends the token to the owner. "

Finally, Maximus Answer DualCam firmware updates are digitally signed by the vendor. Rogue firmware updates delivered from rogue servers are simply not installed.

"Any modification to the binary will result in a signature mismatch. In this case, the binary will be destroyed." In this case, the binary is destroyed." An attacker cannot forge a signature because a private certificate corresponding to the public key used to check the signature is required."

Otherwise, the Maximus Answer DualCam video doorbell is secure. As mentioned above, it uses the OpenVPN protocol for most communications with the server, so third parties on the same wireless network as the video doorbell cannot decrypt the signal.

Each camera has a unique digital identifier that allows the server to identify itself. Attempts to access the video doorbell's port via the local Wi-Fi network failed, as did attempts to exploit the OpenVPN connection using a widely applicable flaw.

Commands sent by the owner to the video doorbell go through the Maximus server, but each request requires an authentication token.

In addition, "To change the camera's settings, a serial number is required. An attacker who knows the serial number cannot change the configuration because ownership is verified.

The same authentication is required for live streaming.

Even UART connections, where wires are clipped to specific locations on the motherboard for software or hardware debugging, require a password in this case; UART connections are often a trusted backdoor to smart home devices, but Maximus Answer DualCam video doorbell does not.

Bitdefender researchers used several tools and methods to analyze the security of the Maximus Answer DualCam.

A virtual machine running on a PC acted as a Wi-Fi access point. The penetration testing tool Burp Suite was used to monitor encrypted network traffic; the UBI Reader Extract Files utility was used to read the file system on the firmware disk image.

The Bluetooth Host Controller Interface logging tool built into Android (Developer mode enabled) was used to capture data packets exchanged between the smartphone and the video doorbell during the initial setup process. A Wireshark network packet analyzer was used to capture and inspect these packets; a man-in-the-middle attack was launched using custom digital certificates to decrypt traffic to and from the Android app.

The Ghidra decompiler developed by the US National Security Agency was used to reverse engineer the binary data. The network mapper Nmap was used to verify that Maximus Answer DualCam had no open ports.

Overall, the Maximus Answer DualCam video doorbell appears to be safe to use, except that someone on the Wi-Fi network may be able to intercept the video feed.

Unless you work for a defense contractor or an organization involved in national security, most people will not need to worry. The Maximus Answer Dual Cam Video Doorbell is an A-minus if I had to give it a security score.

.

Categories