Zero-Day Bugs Spotted In Nooie Baby Monitors

Researchers have found numerous bugs affecting Nooie baby monitors. Exploiting the zero-day bugs allows an adversary to  access feeds, and execute code. Despite the severity of the bugs, the vendors are yet to release fixes.

Nooie Baby Monitor Bugs

According to a blog post from Bitdefender, their researchers caught several unpatched zero-day bugs in Nooie baby monitors.

Specifically, they found four different vulnerabilities in the Nooie Cam back in 2020. However, despite reporting the flaws to the vendors right then, the vulnerabilities haven’t attracted the vendor’s attention.

Given the exploitability of such bugs in baby monitors, the researchers decided to publicly disclose the flaws, urging the users to stay vigilant.

Regarding the bugs, the first of these is an information disclosure vulnerability, leaking the device and user ID. This leak happens due to how the device communicates to the MQTT server without authentication. Hence, an adversary can subscribe to the /device/init topic to know the target device’s details.

Then, once connected to the MQTT server (without authentication), the adversary can generate requests to access live feeds of arbitrary cameras. Regarding how this will work, the researchers explained,

This is achieved by publishing a message to the camera’s topic /device/<ID>/cmd, where <ID> is the uuid parameter obtained earlier. The payload must be in JSON format and must include the cmd and url parameters.

The third vulnerability is a stack-based buffer overflow that would allow code execution.

Lastly, an adversary could obtain the AWS credentials for the target device by using the leaked device and user IDs.

The camera uses the /rest/v2/device/get_awstoken endpoint on eu.nooie.com to obtain the AWS credentials used to store recordings on the cloud… The only prerequisites are the IDs leaked on the MQTT server (uuid and uid).

Such explicit access then allows the adversary to access stored recordings, or even reset the AWS bucket.

No Patch Available Yet

The researchers tested two devices – PC100A (Nooie Cam 360) (v1.3.88) and IPC007A-1080P (Nooie Cam Indoor 1080p) (v2.1.94) – in their study.

Since the bugs remain unpatched (until the time of writing this article), the researchers advise users to isolate their baby monitors for safety. For instance, users can restrict SSID access for networks connecting such critical IoT devices.

Also, keeping the devices up-to-date with the latest firmware updates is another strategy to receive the patches whenever released.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients