Is it Really that Bad? Exploring IoT Camera Security
C3 | Thu 24 Jan | 11:35 a.m.–12:20 p.m.
Ben is a long-time Linux systems engineer and hacker who focuses on Devops topics, embedded Linux, and free software advocate. Previously he has held positions designing and administering systems at the OSU Open Source Lab, Mozilla, and Red Hat. He specializes in Linux systems, configuration management, and continuous integration. When he is not deploying and testing new computers he is riding his homemade electric bike, tuning the free software computer in his car, or rebuilding old ThinkPads.
Internet of Things devices are becoming increasingly common in our lives and in our homes. Connected sensors and controls are inexpensive and popular to buy online and in stores. Their sleek plastic shells promise a well designed package, but these devices can harbor surprising secrets. With a 4-star rating from hundreds of reviewers on Amazon, a slick mobile app, and $99 price tag, the Reolink Argus 2 wireless camera seems to tick all the boxes for a savvy shopper. I bought one to use in my home, but after hearing horror stories about IoT devices I decided to open it up to see how it worked, and to investigate if the software was respecting my privacy and security. This talk will share my discoveries in reverse engineering this device and explore the the implications of their design decisions. I'll go through contacting the vendor and trying to responsibly disclose my discoveries. I'll also share the resources that I've discovered and written to fix the security problems and make it a useful, more secure device.