Shenzhen Gwelltimes Technology Co., Ltd is the white-label vendor behind a whole constellation of Internet of Things networked home cameras sold as security cameras, baby monitors, pet monitors, and similar technologies; these cameras are designed to be monitored by their owners using an app, and because of farcically bad default passwords ("123") and other foolish security practices (such as sequentially numbering each camera, allowing attackers to enumerate vulnerable devices), the devices are trivial to locate and hijack over the internet.
The cameras are all accessible using a Shenzhen Gwelltimes Technology Co app called "Yoosee," which allows users to pair with cameras without changing the default password.
A South Carolina mother named Jamie L Turman posted an account of her babycam being hijacked by an unknown party over the internet, who activated the camera's panning feature to follow her around her baby's room.
Her baby-monitor was a FREDI camera, one of the many rebadged Shenzhen Gwelltimes Technology Co cameras. Researchers from Security Research Labs, who had previously published extensive reports of the vulnerabilities in Shenzhen Gwelltimes Technology Co's products, hypothesize that the attacker was able to scan for Ms Turman's camera and compromise it using the default password.
SEC Consult believes that Shenzhen Gwelltimes Technology is also one of the vendors behind the security camera models that SRLabs analyzed last year, as YooSee was listed as an app used for controlling Cloudlinks and Videoipcamera devices. These two camera brands are most likely Shenzhen Gwelltimes devices, rebranded and resold by their respective owners.
"Although they have been confronted with the security issues months ago, they have decided not to fix them," SEC Consult said about the fact that Shenzhen Gwelltimes didn't appear to change anything in its products following the publication of the SRLabs report.
Someone Is Taking Over Insecure Cameras and Spying on Device Owners [Catalin Cimpanu/Bleeping Computer]
(Image: Cryteria, CC-BY)