Exclusive: How safe is the Maximus Answer DualCam video doorbell?

Maximus Answer DualCam review
(Image credit: Maximus)

The Maximus Answer DualCam is one of the best video doorbells, as its two-camera setup lets you see very clearly if someone left a package at your door. But while the DualCam may be good at protecting your packages, how good is it at protecting your data? 

As part of a partnership with Tom's Guide, security firm Bitdefender has analyzed the Maximus Answer DualCam video doorbell that Tom's Guide reviewed in 2020. Bitdefender looked at the video doorbell's network communications and its internal software and hardware, and its study report found the video doorbell's security to be pretty good overall.

Some problems with server authentication

The only major vulnerability was a lack of server authentication in two instances. The video doorbell did not verify the Amazon Web Services data "bucket" to which it uploaded video feeds and logs. Nor did it verify the server from which it downloaded firmware updates. 

These network communications are sent using the plain old HTTPS web protocol, not the OpenVPN protocol used to handle commands to the video doorbell from the smartphone app.

That flaw could, at least in theory, lead to a man-in-the-middle attack if an attacker who was already on the doorbell owner's home Wi-Fi network could force the doorbell to accept a bogus HTTPS certificate and intercept the uploads. 

"As a result," says the Bitdefender report, "an attacker sitting between the camera and the servers could intercept the uploaded logs and recordings." 

So your nasty neighbor could intercept your video feed this way. To protect yourself against such an attack, however unlikely it may be, make sure you use a strong, unique password to access your home Wi-Fi network.

As for the log files, "they do not contain sensitive information that could be useful to an attacker," the report says. "Most of the messages pertain to the functioning of the camera."

While "the surrounding Wi-Fi networks and their MAC addresses are transmitted, as well as the name of the current network" as part of the log files, "the password for the current network is not transmitted."

Firmware updates are very well protected

Hacking the doorbell with a bogus firmware update, a common method of attacking smart-home devices, would be very difficult to pull off on the Maximus Answer DualCam for a number of reasons. 

First, the web address, or URL, of the update server seems to be hard-coded in the Maximus Answer DualCam video doorbell's firmware, and changing the server address would require root access. 

Second, the Bitdefender report says that "the attack requires knowledge of both the ta.key file (to authenticate TLS connections), and a way to trick the camera into connecting to the rogue server."

At least in theory, an attacker could perhaps "spoof" the Maximus server by setting up a rogue Wi-Fi hotspot and forcing the doorbell to connect to that. Then a poisoned DNS file on the rogue hotspot could redirect queries for the server URL to instead go to the attacker's machine as the "server."

Third, setting up or changing the doorbell's Wi-Fi network connection can only be done via Bluetooth using the Kuna companion app on the owner's smartphone. 

The Kuna app relays the doorbell's serial number plus random data — a "nonce," in cryptography terms — to the Maximus server. The server replies with a token (consisting of a "hashed" version of the nonce plus a secret code) that authorizes the video doorbell and gives the doorbell the local Wi-Fi access credentials it got from the owner's Kuna smartphone app.

"The Bluetooth connection can be established at any time to change the Wi-Fi network, but only the camera owner can initiate it," the report says. 

"If an attacker wishes to change the network, they would need either the secret to create the token, or the token provided from the server. The secret is unknown, and the server sends the token to the owner only."

Finally, the Maximus Answer DualCam's firmware updates are digitally signed by the vendor. A rogue firmware update delivered by a rogue server would simply not be installed.

"Any modifications to the binary will result in a signature mismatch," says the report. "The binary will be discarded in this case. An attacker can't forge the signature, as it requires the private certificate corresponding to the public key used to check the signature."

Locked down pretty tight

Otherwise, the Maximus Answer DualCam video doorbell has good security. As noted earlier, for most communications it uses the OpenVPN protocol to communicate with its server so that third parties on the same wireless network as the video doorbell cannot decipher the signals.  

Each camera has a unique digital identifier to identify itself to its servers. Attempts to access ports on the video doorbell over the local Wi-Fi network were unsuccessful, and so was an attempt to exploit the OpenVPN connection using a widely applicable flaw. 

Commands sent by the owner to the video doorbell are routed through Maximus' servers, but each request has to be accompanied by an authorization token.

Also, "to modify the camera's settings, the user requires its serial number. An attacker who knows the serial number cannot modify settings, as ownership is validated."

Similar authentication is required for live streaming. 

Even UART connections, which involve clipping wires to specific spots on the motherboard for software or hardware debugging, require a password in this case. UART connections are often a reliable backdoor into a smart-home device, but not on the Maximus Answer DualCam video doorbell.

How Bitdefender tested the Maximus Answer DualCam

Bitdefender researchers used several tools and methods to analyze the security of the Maximus Answer DualCam. 

A virtual machine running on a PC served as the Wi-Fi access point. The Burp Suite penetration-testing tool was used to monitor encrypted network traffic. The UBI Reader Extract Files utility was used to read the filesystem on the firmware disk image. 

The Bluetooth Host Controller Interface logging tool built into Android (with Developer mode activated) was used to capture data packets exchanged between a smartphone and the video doorbell during the initial setup process, and the Wireshark network-packet analyzer was used to examine those packets. A custom digital certificate was used to stage a man-in-the-middle attack in order to decrypt traffic to and from the Android app.

The Ghidra decompiler developed by the U.S. National Security Agency was used to reverse-engineer binary data, i.e. turning data that was just bits and bytes back into source code. The network mapper Nmap was used to determine that the Maximus Answer DualCam had no open ports.

Safe to use? Yes, mostly

Overall, the Maximus Answer DualCam video doorbell seems safe to use, except for the remote possibility that someone already on your Wi-Fi network might be able to intercept the video feed, provided the attacker knows how to spoof a digital server certificate. 

We think that's not something most people would need to worry about, unless they work for a defense contractor or another organization having to do with national security. If we were to give devices letter grades in security, we'd give the Maximus Answer DualCam video doorbell an A-minus.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.