Support Center

Vulnerability Disclosure

Last Updated: Feb 28, 2019 10:44AM GMT
Listed below are potential vulnerabilities raised against Y-cam products, software and services. In addition to the issues raised are the actions taken by Y-cam Solutions Ltd.
 
Date Raised Vulnerability Reported Product, Software or Service Action Taken Date Completed
27/07/2016 Weak Configuration Interface Authentication on Gigaset Smarthome Camera Camera  Development team notified Customer Support Manager who added it to our FAQs and a security fix was implemented to a new firmware where the camera password was not Base 64 but a random password set in the factory and as soon as the camera was claimed, a new random password was set on the camera  14/09/2016
27/07/2016 Video Stream Access without Authentication on Gigaset Smarthome Camera Camera  Development team notified Customer Support Manager who added it to our FAQs and a security fix was implemented to a new firmware whereall camera streams were encrypted  14/09/2016
23/08/2017 Customer has reported that his camera is vulnerable to CVE-2012-5958 Camera  Investigated that our cameras are not affected directly. Report has been made to our manufacturers  
9/1/2018 The issue of KRACK which affects a lot of Cameras was highlighted by our ODM partners and internal security team Camera Y-cam Evo camers are affected by the KRACK vulnerability like all other Wi-Fi connected devices in the market. We are currently working with our suppliers on a patch but as you can appreciate it will include Chicony, the chip manufacturers and our embedded team. But for Y-cam the risk is medium-low so we have to balance the need for a quick fix against the risk to consumers and to our product. Ref: https://nvd.nist.gov/vuln/detail/CVE-2017-13077. After careful consideration we have listed the risks to our customers and the devices and consider this against the risks of doing a mass firmware upgrade: Risks and Mitigations: For this to be perpetuated, the attacker has to be within range of the wi-fi device and router This has to be during the handshake Only applicable when device is connecting to router Even if we patch our device, all other devices in the network have to be patched for the network to be KRACK free. And since the purpose of the hack is to get into the network, there is no way for user to determine definitively where the hack came from. The data and heartbeat between Y-cam cameras and the internet are encrypted so our customer’s data are safe Based on this, although we are in development phase with our embedded team and suppliers to bring out a patch, it will not be a short term fix. Also due to the impact that a firmware upgrade roll-out may cause (cameras bricking up) we have to decide once we have a fix to roll it out in new factory firmware or upgrading firmware.  
29/10/2018 Internal security audit found out that our Protect Alarm hubs transmit data over MQTT Protect Hub Manufacturers notified and development work has started on Protect Hub 2 which will use AWS IOT  
07/01/2019 Camera remained connected to external service after removal from account and based on data traffic analysis, the camera continues to transmit UPD traffic externally and the rate of traffic is the same as when connected to the account.  All cameras Although there are clear instructions in the Quick Start Guide, that a User should hard-reset the camera when deleting the camera from an account, we will also make it clear, in the messaging during the deletion process, that the camera must be hard-reset   
07/01/2019 The Camera reveal sensitive information relating to ID, MAC and internal IP address in http All cameras We will add this issue to the back-log to have a new firmware where all communication from the camera to the server are in https  
07/01/2019 Camera send snapshot image to server in clear texts All cameras Create a new firmware where the Camera will not send any image to the server but we will use the encrypted video to get the latest image  

If you wish to raise a potential vulnerability with Y-cam Solutions Ltd, please email gdpr@y-cam.com and a member of the team will respond to you.


 

Contact Us

  • Post a Public Question
  • Email Us
  • Opening Times
    Monday to Friday
    9am-5pm UK time excluding English Public Holidays

    We will respond to your query as soon as possible. Please do not submit multiple tickets for the same issue. Please ensure that
    homehelp@y-cam.com is added to your safe sender list, and prevent our emails going to your junk/spam folder.
    If telephone support is required, we will contact you at a time that's convenient for you.

    Team Viewer
    For remote support we use Team Viewer QS 9
    Download
    PC
    Mac

homemonitorhelp@fastmail.fm
http://assets3.desk.com/
false
desk
Loading
seconds ago
a minute ago
minutes ago
an hour ago
hours ago
a day ago
days ago
about
false
Invalid characters found
/customer/en/portal/articles/autocomplete