
Security flaws let anyone snoop on Guardzilla smart camera video recordings - taspeotis
https://techcrunch.com/2018/12/27/guardzilla-security-camera-flaws/
======
wpietri
I took a look at Crunchbase and they barely have a listing:
[https://www.crunchbase.com/organization/guardzilla](https://www.crunchbase.com/organization/guardzilla)

The earliest Wayback entry I can find already has a slick site and an upcoming
deal with BestBuy
[https://web.archive.org/web/20141217054015/https://www.guard...](https://web.archive.org/web/20141217054015/https://www.guardzilla.com/)

The company has a very small number of employees on LinkedIn:

[https://www.linkedin.com/search/results/people/?facetCurrent...](https://www.linkedin.com/search/results/people/?facetCurrentCompany=%5B%2218929661%22%5D)

Their CTO's previous job was apparently selling phone systems:

[https://www.linkedin.com/in/geoffreytruskowski/](https://www.linkedin.com/in/geoffreytruskowski/)

And here's their former president, "founder, creator and driving force", whose
background is all sales.

[https://www.linkedin.com/in/tedsiebenman/](https://www.linkedin.com/in/tedsiebenman/)

So at first blush this looks like a Potemkin company, a pure marketing front.

As an aside, it's my firm opinion that salespeople generally make terrible
CEOs. I've heard so many horror stories. Their big skill, painting a beautiful
picture for potential customers, can easily turn toxic when that is
unconstrained by the parts of the organization responsible for practical
realities. Was this secure? Definitely not. Did it have enough buzzwords it
could be sold as secure? Sure! So ship the boxes, cash the checks, and move
on. 3+ years is a great run for a scam.

------
shakna
The report [0] might be one of the most damning I've seen for a little while.

DES-encrypted AWS S3 creds with unlimited access baked in. Hashcat makes short
work (hours) of DES these days.

OpenSSl 1.0.1g, a rather outdated and rather vulnerable. Integer overflow,
easily DOS-able, and double-free, amongst others.

And all of this with proof it works, whilst the company blusters.

> Siwak was adamant that the “accusations are false,” but did not say why.

... As far as I can tell without breaching my local laws by running the
exploits... S3 hasn't revoked those keys yet, or required a more limited
policy.

[0] [https://www.0dayallday.org/guardzilla-video-camera-hard-
code...](https://www.0dayallday.org/guardzilla-video-camera-hard-coded-aws-
credentials/)

------
laurencei
> Fixing the vulnerability not only requires the keys to be changed on the
> server, but also a software patch to be rolled out on each affected device.

Is this correct?

Couldnt they just change the existing keys in AWS to be "write only" \- and
therefore allow a one way stream of data "in"?

That way, even with the keys, you cant actually get any existing videos, and
only place new ones there?

I do this for my web application backups - my AWS keys on the server are
"write only" (with no overwrite) to S3. Then, if my server was every
compromised, my backups are NOT and are protected because the attackers cant
get to them (to either overwrite or read the existing backup).

~~~
oavdeev
How did you do "no overwrite" bit? By enabling versioning?

~~~
laurencei
I use `s3:PutObject` with versioning - yes.

Although I've not tested if only having `s3:PutObject` even allows overwriting
in the first place? You might not need versioning.

Also - they dont have `list` or `read` access, so they cant even see what
files are there to overwrite in the first place. They might be able to guess
depending on your code, but adding some random numbers and you'd be pretty
safe.

Any AWS IWS experts able to confirm if `s3:PutObject` allows overwrite?

~~~
oavdeev
It does; unfortunately they don't have a nice way to just disallow overwrites
(that's why I was curious how you implemented that)

------
agildehaus
Someone should just start uploading terabytes of data to S3 using their key.
They'll get the message eventually.

~~~
gear54rus
Probably. How do you monetize this though? You can't easily do it the black-
hat way (not every vuln is worth something and you gotta have channels for
distribution).

On the other hand we got bug bounties which are never paid using bullshit
excuses and so you can't monetize it using white-hat ways too.

The correct solution seems to be to research distribution channels for black
hat ways? Doesn't sound constructive.

------
walrus01
The guy who runs the Twitter account "internet of shit" seems more prescient
every day.

