"We were able to broadcast a stream to the cloud masquerading as the camera," said Wardle, who is Synack's director of research.
They also created malicious software for Apple's OS X that could be delivered by a new Dropcam to a person's computer, similar to a NSA-style interdiction attack.
Wardle and Moore referred to the code as an "implant." It defeated Apple's XProtect, which is a basic antimalware program; Gatekeeper, which blocks applications that haven't come from the Mac store or a known developer; and a defense in OS X Mavericks that requires properly-signed kernel drivers, Wardle said.
The implant allows a hacker to remotely view a Dropcam's live video feed and turn on its powerful microphone, a so-called "hot miking" attack. Attackers can also use the implant code to run a scan on the network it is connected to, potentially uncovering other weak points for attack, Moore said. The code also transmits geolocation information so the cameras can be plotted on a map.
Such tampering with a Dropcam would be unknown to a consumer or a company, Moore said. Embedded devices — at least now — don't run security software, and what goes on inside of them is often opaque.
"I'm not sure there's a good solution, but it's something the security industry needs to think about," Moore said.
One solution to tampering may be to require that new code uploaded to a Dropcam have an approved digital signature, known as code signing, Wardle said. Apple uses this model with its iPhone, which prevents devices from running applications not approved by the company. Then, it would at least require hackers to perform a "jailbreak" attack to break that restriction before putting malware on a Dropcam.
The Dropcam has a button on the device that, if pushed, allows unsigned firmware to be uploaded if the right protocol is used, Wardle said. The button is probably there for convenience for provisioning software after the hardware comes from the factory, Wardle said.
The researchers are waiting for Dropcam to fix the other vulnerabilities they found, which concern other applications on the device and configuration issues when a Dropcam is plugged into a computer.
Still, even with the vulnerabilities, Moore said, "I think Dropcam has done a lot of things right."
For example, it encrypts connections with its home servers over SSL. Dropcam also completely reimages its devices when it sends out updates, Moore said.
Moore and Wardle did catch Dropcam out on SSL — Dropcam hadn't applied the patch for OpenSSL that fixes the Heartbleed vulnerability, but after it was notified by Synack, the company did it "very quickly," Wardle said.
Moore and Wardle's presentation is scheduled for 11 AM Sunday at Defcon in Last Vegas.
Send news tips and comments to firstname.lastname@example.org. Follow me on Twitter: @jeremy_kirk
Sign up for CIO Asia eNewsletters.