WowWee Rovio Insufficient Access Controls

Type packetstorm
Reporter Brian Dowling
Modified 2009-01-15T00:00:00


WowWee Rovio - Insufficient Access Controls - Covert Audio/Video  
Snooping Possible  
Rovio from WowWee does not adequately secure all accessible URLs or media  
streams, enabling an unauthorized user with network access to the robotic  
webcam platform the ability to listen to and view audio/video streamed from  
the device's onboard camera. Additionally, audio-send capabilities are also  
not secured, enabling mischievous sending of audio through Rovio's built-in  
speaker. Additional manipulations may be possible, robot control does not  
appear to be impacted at this time.  
>From WowWee Website:  
Rovio(tm) is the ground breaking new Wi-Fi enable mobile webcam that lets  
you view and interact with its environment through streaming video and  
audio, wherever you are!  
Unfortunately, Rovio's access control mechanisms (username/password) are not  
completely utilized across the platform even when enabled. Certain URLs and  
RTSP Streaming capabilities of the device are accessible with no  
authentication. Furthermore, deployment of the device in the default  
configuration attempts to use UPnP to automatically configure your firewall to  
allow external access to the mobile webcam platform.  
Resources exposed without proper access controls include:  
rtsp://[rovio]/webcam -- RTSP Audio/Video Stream, directly accessible.  
and the following http://[rovio]:[publishedport]/ URLs are accessbile to anyone:  
/GetUPnP.cgi -- Get UPnP config, including ports in use for RTSP  
/GetStatus.cgi -- display general device status  
/GetVer.cgi -- display firmware version, enables targeted  
attacks, discovery.  
/ScanWlan.cgi -- display WiFi Networks visible to device  
/GetAudio.cgi -- "Send" audio to Rovio's speaker, "What's up Doc?"  
/GetMac.cgi -- device mac adress  
/Upload.cgi -- upload new firmware [actual upload untested]  
/Cmd.cgi -- Accessible without arguments, but does not appear  
to allow ACL bypass to normally protected  
sub-commands. Unknown if any hidden commands exist.  
/SendHttp.cgi -- When authentication is enabled, this appears to be  
protected. However in a default configuration with  
no authentication, it could provide for interesting  
reverse-proxy like manipulation of web-based  
firewall admin interfaces.  
Additionally, this script is used by the "Ping  
Test" that WowWee sends to their servers to help  
verify your internet connectivity and UPnP settings  
are working. What's disheartening here is that  
your IP address and rovio's port are sent to WowWee  
and potentially stored in their server logs.  
Additionally, WowWee is advised that they should alter the default  
configuration to not automatically utilize UPnP to attempt to open up external  
access to these devices.  
1) In the default configuration no authentication is required until the user  
sets up accounts.  
2) Proper notification should be displayed to users regarding the potential  
risks and ramifications of these settings and they must be involved in the  
decision process, by being required to take action action to agree to  
expose such devices to external access.  
Additionally, it should be noted that the platform uses HTTP Basic  
authentication over unencrypted HTTP. Using such mechanisms across the  
internet does expose users to network-sniffing attacks, where an attacker  
could obtain the credentials or observe the data streams being transmitted.  
Users of this mobile wi-fi webcam may unwittingly open their homes up to  
anonymous eaves-dropping of their personal lives and communications.  
WowWee must supply an updated firmware that fixes these issues.  
Users of these devices are encouraged to disable direct external access and  
seek other means to secure such access (Authenticated, Encyrpting Proxies, or  
Access over a VPN connection for example). It is understood that most  
consumers of these devices do not have such means, so WowWee should be  
compelled to provide adequate protection and access controls.  
This issue was discovered and disclosed by Brian Dowling of Simplicity  
2009-01-06 - Initial Report to WowWee support.  
2009-01-07 - Second request to simply confirm reciept of my first notifciation.  
2009-01-08 - Automated, canned response from web-submission form.  
2009-01-14 - Due to lack of appropriate, timely response, additional insight  
contained above and general concern for users of these devices  
unknowingly being exposed in this way, this information has been  
publicly disclosed. Hopefully as WowWee forays into more  
networked-enabled consumer devices they will provide proper  
channels and handling for vulnerability disclosure.