Skip to main content

Security flaws let anyone snoop on Guardzilla smart camera video recordings

A popular smart security system maker has ignored warnings from security researchers that its flagship device has several serious vulnerabilities, including allowing anyone access to the company’s central store of customer-uploaded video recordings.

The researchers at 0DayAllDay found that Guardzilla’s top-selling indoor wireless security system contains a set of hardcoded keys that can be easily extracted, because the device’s root password was protected using a decade-old algorithm that’s nowadays easily crackable. Each device uses the same set of keys to upload video recordings to the company’s Amazon Web Services’ storage servers. Anyone can use these keys to log in and gain full access to the company’s cloud storage — and customer data uploaded from the device.

But the storage servers remain vulnerable — even at the time of publication, TechCrunch can confirm — despite the researchers privately emailing the company detailing the vulnerabilities in September.

“We’ve tried several avenues to get in touch with Guardzilla, but they have not acknowledged the report,” said Tod Beardsley, Rapid7’s research director, who helped coordinate the release of the researchers’ findings.

The team of five researchers said in their report that it took two off-the-shelf consumer graphics cards just three hours to decrypt the eight-letter password protecting the affected Guardzilla device’s firmware that ships with each device. Because the keys were buried in the code, anyone with a Guardzilla device could obtain the keys and gain unfettered access to the company’s 13 storage buckets hosted on Amazon’s servers. The researchers tested the keys but did not use them to access the buckets, they said, to prevent unintentional access to Guardzilla customer data.

TechCrunch confirmed that the keys were still active and linked to the listed buckets as of Wednesday. (We could not verify the contents of the buckets as that would be unlawful.)

Hardcoding keys isn’t an uncommon practice in cheaply manufactured internet-connected devices, but is considered one of the worst security practices for a hardware maker to commit as it’s easy for a hacker to break into a central server storing user data. Hardcoding keys has become such an acute problem that a recently passed California law will soon ban consumer electronics using default and hardcoded credentials from 2020.

Fixing the vulnerability not only requires the keys to be changed on the server, but also a software patch to be rolled out on each affected device.

“They could update the keys and update the firmware, but that just means they’ll be rediscovered again by the same techniques,” said Beardsley. “The only way I can think of to fix this completely is to change the keys, stand up a proxying service and update the firmware to use this proxying service with unique-per-device accounts.”

“That’s a pretty significant change, but it’s just about only way to avoid this kind of problem,” he said.

Guardzilla were given three months to fix the security lapse and roll out new firmware to affected devices after the researchers privately reached out, but the company neither acknowledged or patched the issue, prompting the researchers to go public with their findings.

The researchers also also disclosed the vulnerabilities to Carnegie Mellon University’s public vulnerability database, CERT, which is set to issue an advisory Thursday, but received no response from the company.

TechCrunch sent several emails to Guardzilla prior to publication to no avail. After we contacted the company’s registered agent, a law firm in St. Louis, Missouri, chief executive Greg Siwak responded hours before publication, denying that the company received any correspondence. We asked several questions to clarify the company’s position, which we will include here if and when they come in. Siwak was adamant that the “accusations are false,” but did not say why.

When reached, former Guardzilla president Ted Siebenman told TechCrunch that he left the company in February but claimed he was “not aware” on the security issues in the device, including the use of hardcoded keys.

The security researchers found two more vulnerabilities — including several known bugs affecting the device’s continued use of a since-deprecated OpenSSL encryption library from more than two years ago. The researchers also disclosed in their write-up their discovery “large amounts” of traffic sent from an open port on the device to Guardzilla’s Amazon server, but could not explain why.

Guardzilla doesn’t say how many devices it’s sold or how many customers it has, but touts its hardware selling in several major U.S. retailers, including Amazon, Best Buy, Target, Walmart and Staples.

For now, you’re safest bet is to unplug your Guardzilla from the wall and stop using it.

Cybersecurity 101: Five simple security guides for protecting your privacy



from TechCrunch https://tcrn.ch/2BKGEaY
via IFTTT
Labels:

Comments

Post a Comment

Popular posts from this blog

Apple’s AI Push: Everything We Know About Apple Intelligence So Far

Apple’s WWDC 2025 confirmed what many suspected: Apple is finally making a serious leap into artificial intelligence. Dubbed “Apple Intelligence,” the suite of AI-powered tools, enhancements, and integrations marks the company’s biggest software evolution in a decade. But unlike competitors racing to plug AI into everything, Apple is taking a slower, more deliberate approach — one rooted in privacy, on-device processing, and ecosystem synergy. If you’re wondering what Apple Intelligence actually is, how it works, and what it means for your iPhone, iPad, or Mac, you’re in the right place. This article breaks it all down.   What Is Apple Intelligence? Let’s get the terminology clear first. Apple Intelligence isn’t a product — it’s a platform. It’s not just a chatbot. It’s a system-wide integration of generative AI, machine learning, and personal context awareness, embedded across Apple’s OS platforms. Think of it as a foundational AI layer stitched into iOS 18, iPadOS 18, and m...
Post a Comment
Read more

The Silent Revolution of On-Device AI: Why the Cloud Is No Longer King

Introduction For years, artificial intelligence has meant one thing: the cloud. Whether you’re asking ChatGPT a question, editing a photo with AI tools, or getting recommendations on Netflix — those decisions happen on distant servers, not your device. But that’s changing. Thanks to major advances in silicon, model compression, and memory architecture, AI is quietly migrating from giant data centres to the palm of your hand. Your phone, your laptop, your smartwatch — all are becoming AI engines in their own right. It’s a shift that redefines not just how AI works, but who controls it, how private it is, and what it can do for you. This article explores the rise of on-device AI — how it works, why it matters, and why the cloud’s days as the centre of the AI universe might be numbered. What Is On-Device AI? On-device AI refers to machine learning models that run locally on your smartphone, tablet, laptop, or edge device — without needing constant access to the cloud. In practi...
1 comment
Read more

Max Q: Psyche(d)

In this issue: SpaceX launches NASA asteroid mission, news from Relativity Space and more. © 2023 TechCrunch. All rights reserved. For personal use only. from TechCrunch https://ift.tt/h6Kjrde via IFTTT
Post a Comment
Read more