According to Zmodo, both their devices and apps are protected by AES 256-bit encryption with TLS—Transport Layer Security—and your footage can only be accessed with your username and password. But does that mean Zmodo cameras are secure?
The question of whether or not Zmodo is secure transcends the Zmodo brand into all IoT products. Ultimately, the answer is—probably not. There are some troubling study results, along with app discrepancies, that deserve more attention.
It’s 2021, and IoT products number in the billions. The obvious query is whether or not some basement-dweller in Sticks Village, Utah, knows whenever your baby wakes up and whether or not Zmodo is part of the problem?
The Dark Cubed Study on Zmodo Security
Dark Cubed is a cybersecurity firm founded in 2015. Their primary service is offering internet security to prospective clients. In 2019, they published a study on The State of IoT Security, of which Zmodo was a part.
Although Zmodo touts 256-bit encryption, the Dark Cubed study demonstrated what is called a “man-in-the-middle” attack, through which outgoing images—from the Zmodo device to the cloud—could be intercepted and viewed, bypassing the encryption altogether.
Also, Dark Cubed claims that anyone, with the right tools, could easily intercept everything from both the Zmodo device and the Android app.
Downloading the app on Google Play requires you to grant 29 permissions, 12 of which are dangerous. These permissions allow for:
- Location sharing
- Read SMS texts
- Disable keyguards
- Read contacts
- Access to your file system
- Bluetooth control
- Read your external storage
- Write system settings
Xiongmai and White Labeling
Xiongmai is a Chinese company that manufactures video surveillance equipment. The company has a sordid history with security vulnerabilities that have impacted millions. In September of 2016, Mirai malware was used to hit multiple targets via “disruptive denial of service” attacks.
It was later determined that Xiongmai products comprised most of the products infected by Malai. Xiongmai engages in what is called “white labeling,” wherein a product—manufactured by Xiongmai—is repackaged and relabeled by the company that purchases it. Zmodo is one such company that white labels Xiongmai products.
While Xiongmai has threatened accusing parties with lawsuits, played the blame-game, and eventually claimed to fix security vulnerabilities, there is still no evidence that it has done so.
In 2018, SEC Consult attempted to resolve the security vulnerabilities with Xiongmai—without much success—and also published a concise breakdown of the issues with Xiongmai and a list of all known products that use white labeling over Xiongmai products. Zmodo made the SEC Consult’s list.
Does Zmodo Send Cloud Storage to China?
On January 8, 2017, Fortego did a security assessment on Zmodo cameras. They determined that there were five ports open to potentially wrongful access on the Zmodo device.
The same assessment also determined that the Zmodo app sends image traffic to IP Address 220.127.116.11, which is in Beijing, China. Now, if you trust that your data is stored securely in China well, that’s up to you. But, it’s not the recommended route for your home security images.
Later, a 2019 continuation of the security assessment reached the same conclusion as the 2019 Dark Cubed study. In between the camera and cloud storage, when the pictures or videos are being sent, Zmodo images are extremely vulnerable.
Zmodo Has a Bad History with Security Issues
The past doesn’t conclusively prove the present, but it is relevant. As history tends to be cyclical and modern companies eschew privacy in favor of profit, it’s worth noting Zmodo’s place.
Zmodo was listed as vulnerable to hacks in 2013, 2016, and 2018. It’s also worth noting that despite a Zmodo spokesperson’s reassurances in 2013, Zmodo products were still affected by the Mirai malware in 2016.
Unfortunately, unlike a laptop or desktop computer webcam, someone hacking into a Zmodo camera doesn’t need to be discreet or subtle. Since no one can see the Linux software running in Zmodo devices, there’s no sign of compromise.
While Zmodo isn’t the only product with worrisome security vulnerabilities, their products are and have been a part of the problem.
Cameras, audio, and other recording devices are everywhere. Street corners, alleyways, traffic lights, businesses, and cars are replete with them. Now, we are importing these devices into our homes.
Zmodo has an unfortunate history of serious security issues and continues to white label its products manufactured by Xiongmai—a known collaborator in creating vulnerable products. Numerous studies conducted by reputable organizations have continuously pinpointed Zmodo and Xiongmai as problematic. The studies don’t end with just the product, but the associated apps as well, especially on Android devices.
Without a conclusive and current 2021 study, we’re left with what we know, and what we know is that Zmodo doesn’t provide a highly secure and dependable product.