After hearing about some housebreaking in apartments I started to look at some IoT cameras. Since I work with IT security and generally feel a need to know how things works this was a rather disappointing journey. I didn't save links to all the crap that I found since I initially didn't think of writing a blog post. So a note to self is to always treat all surfing and information gathering as research and keep notes.
The first device I looked at was the Withings Home video camera. It's sold by Apple which seemed like some sort of mark for basic security and quality. First I wanted to know the basics on how the camera, app and cloud services worked. That they work is not my question. What I would like to know is the communication flows and firewall requirements etc. Does the camera require UPNP to work? Which ports needs to be open? How does connections get established? As fare as I could find there is no information about this on the support pages for the product.
Other questions that I had and couldn't find any answers to are listed below.
- How long is the product supported? How long will you deliver security patches.
- Does it include any Open source software? Or rather which open source software and where are your code changes if it is GPL?
- Where can I get notification about security patches that needs to be applied? Mailing list?
- Any list of updated code with notes about security related patches.
- General information about the vendors cloud security.
I probably had more questions at the time that I've forgotten now. The big disappointment was that there where so many questions that I couldn't find an answer to. The majority of the customers buying these sort of devices won't have the same questions which I totally understand. But it scares me that I can't find the answers since that is an indication that there isn't any answers to be found and that there probably are defects in the product.
Withings at least had good support pages for normal users and their cloud service didn't want you to install an exe file that only worked in IE and Safari on 32-bit Windows that one vendor required. D-Link scares me since they have so many different models on the market. How can they possibly deliver patches and updates in a timely manner with good quality? They are either the best company on test automation or they are just delivering products for different use cases that will never see an update after the product is finished.
When it comes to privacy and other legal documents Withings seems to have a department handling that area. Lot of documents to read but no links to or information about licensees on code that they use.
Finally I can note that as of the time I'm writing this I haven't bought any product. I also haven't been able to find a single cloud connected camera that I would recommend to anyone and that is simply based on the lack of information about when the product will be EOL (end of life). Searching for EOL I first thought that Netgear would win an honorable mention for their EOL-page. Then I found the line where one PCMCIA card should have been replaced by a newer card. The problem is that the "new" card has also reached EOL. The only plus is that the product page specifies that the product is "End of Life (Service Unavailable)".