Bugcrowd Blog

Testing Homeboy as a security researcher - My experience

Posted by Bugcrowd on Oct 21, 2014 3:26:15 AM


Today, Homeboy released their slick based battery-powered Wi-Fi cameras, which TechHive called what "could be the best home-security cameras yet". What you probably haven't heard is how Homeboy proactively tested the security of their cameras with 20 of Bugcrowd's elite security researchers before launching.

Bugcrowd security researcher Tobias Mccurry was one of the twenty that received a Homeboy camera before launch and penetration tested for two weeks via a Flex Bounty. Below is a review of his experience.


Bugcrowd Researcher - Tobias Mccurry (Bugcrowd Profile and LinkedIn)

As part of the Bugcrowd research team, I recently received an invitation to a private bounty for Homeboy. Bugcrowd’s process for handling the invitation was extremely professional. Not much information was given about it to start except that you had to be okay with providing your address so Bugcrowd could send you a package. I received a small package within a week and immediately opened it. It was an IP-based camera called Homeboy that looked something like a futuristic robot.

Two days later, I received a notification from Bugcrowd stating the bounty program was launched on the Crowdcontrol platform. I logged in to take a look. Researchers were provided with an iOS application for the iPhone to control the camera. I downloaded the application, connected the camera and instantly fell in love with this device. It was obvious that the product designers took their time thinking about the user, and how to make the device practical for them.

The robot-looking camera is a round ball with a magnetic base. You can charge the camera’s battery, connect it to your wifi and put it in a location that is not near an outlet. The device is simple to setup and very low maintenance. Once setup in a location you can configure it to look for motion, sound an alarm, email you, record audio, and turn on the onboard light. With its long battery device I don't have to worry about it if I go on vacation or leave for a conference.

So what about the security of the device? This device and the mobile applications have been put together very well. Security has been baked in from the start using a JSON-based API. I was working on reversing the API calls from the application when Bugcrowd announced the company was releasing the API documentation and an Android application. When a company releases the full API it means two things to me:

  1. The company is confident in their application and have nothing to hide.
  2. The company wants every API call tested, meaning better security for the consumer.

More security researchers looking at a product earlier in the development lifecycle means better security for consumers. I’m thrilled to have been invited to participate in this program and provide feedback on the device’s security. Thank you to Homeboy and Bugcrowd for for giving me an opportunity to test an awesome product. If you are looking for an awesome IP camera look for the Homeboy in store soon. I will be buying a couple more :).

Bugcrowd Researcher,
Tobias Mccurry


Learn how you can Harness the expertise of a curated crowd like Homeboy, Aruba Networks, and Heroku with the intelligent Crowdcontrol platform.

Bugcrowd News

Written by Bugcrowd