Wladimir PalantSep 8, 2025

My new article is out, this time it’s about internet-connected cameras, mostly being marketed as spy cameras. While the cameras themselves are very different, the common factor is the LookCam app used to manage them.

There is already a considerable body of research on these and similar P2P cameras, so it shouldn’t be a surprise that their security is nothing short of horrible. Still, how the developers managed to make all the wrong choices here on every level (firmware, communication protocol, cloud functionality) is quite something.

https://palant.info/2025/09/08/a-look-at-a-p2p-camera-lookcam-app/

#infosec #iot #lookcam #security #vulnerability

A look at a P2P camera (LookCam app)

I’ve got my hands on an internet-connected camera and decided to take a closer look, having already read about security issues with similar cameras. What I found far exceeded my expectations: fake access controls, bogus protocol encryption, completely unprotected cloud uploads and firmware riddled with security flaws. One could even say that these cameras are Murphy’s Law turned solid: everything that could be done wrong has been done wrong here.

Almost Secure
Show threadWladimir PalantSep 8, 2025

By the way, you are welcome to post your suggestions here about what “financial-grade encryption scheme” means in the context of their cloud service or where it stands in comparison to “military-grade encryption.”

Edit: I checked and the text hasn’t been mistranslated. It is just as repetitive and incomplete in Chinese as it is in English.

Show threadOrca 🌻 | 🎀 | 🪁 | 🏴🏳️‍⚧️
@WPalant
In China there are several standarized encryption algorithm that together forms ShangMi (商密, lit "Commercial Encryption") standard. 3 of them (pubkey crypto SM2, hash SM3, symmetric crypto SM4) are open standard, others are confidential.
Government entities and important professions (non-confidential) must use ShangMi, according to Chinese laws.
"Military-grade encryption" (that protect state secrets) though, they're never opened at all. Depending on the level of confidentiality needed, there are 普通密码 (lit. "normal encryption") and 核心密码 (lit. "core encryption") for different uses. (I don't think there's official English translation for these terms, sorry)
Sep 8, 2025 at 1:54pmWeb