Alex Farrant and Neil Biggs, both of the research team for Context Information Security in the U.K, analyzed Motorola's Focus 73, an outdoor security camera. Images and video taken by the camera can be delivered to a mobile phone app.
They found they could take control of the camera remotely and control its movement, redirect the video feed and figure out the password for the wireless network the device is connected to.
One attack exploits a cross-site request forgery problem. It was possible to scan for camera connected to the Internet and then get a reverse root shell.
By tampering with DNS settings, they could intercept the alerts that the camera sends to its owner. The attack code that could enable that tampering could be planted on a Web page, they wrote in a blog post.
"If someone were to view a web page containing the snippet of script, it could compromise and subvert every vulnerable camera on their network automatically," they wrote. "Surveillance indeed."
The DNS trick meant they can also see FLV video clips that would normally be sent to a cloud storage service used by the device.
The Motorola Focus 73, which is actually manufactured by Binatone, also had a problem when connecting to a home Wi-Fi network.
When a person's home network is selected from a list, "you must enter your private Wi-Fi security key, which is then broadcasted unencrypted over the open network," they wrote.
Then there's a firmware issue. The firmware was written by a company called CVision. It appears to be generic code that was used in other kinds of IP cameras, "presumably to reduce development and support costs," they wrote.
The firmware is not encrypted or digitally signed. The research team added a backdoor to its code, which they could then upload to the camera.
"Firmware should be signed and encrypted as a minimum to stop bad firmware uploads or tampering," they wrote. "Failure to do this not only carries security risks but also business risks."
Context notified Motorola Monitors of the issues in early October. Since then, Motorola and partners that have built software for the device -- including Bintone, Hubble Connected, Nuvoton and CVision -- have worked on patches.
Firmware updates were released a month later, and more fixes "are currently being rolled out to customers' cameras via an automated update process," they wrote.