Because of code reusing, the vulnerabilities are present in a huge list of cameras (especially the InfoLeak and the RCE), which allow to execute root commands against 1250+ camera models with a pre-auth vulnerability.
The summary of the vulnerabilities is:
- Backdoor account
- RSA key and certificates
- Pre-Auth Info Leak (credentials) within the custom http server
- Authenticated RCE as root
- Pre-Auth RCE as root
- Misc - Streaming without authentication
- Misc - "Cloud" (Aka Botnet)
&
Get ready for the next camera-botnet: a Chinese generic wireless webcam sold under more than 1,200 brands from 354 vendors has a buggy and exploitable embedded web server.
According to an advisory by security researcher Pierre Kim this week, the flaws lie within the camera's administration interface – plus the firmware opens insecure connections to backend systems.
Kim posted a Shodan.io link that lists more than 185,000 vulnerable Wi-Fi-connected cameras exposed to the internet, ready and waiting to be hijacked. The cameras' CGI script for configuring its FTP server has a remote code execution hole known since 2015, Kim said, and this can be used to run commands as root or start a password-less Telnet server.
There's a folder in the file system,
/system/www/pem/
, that includes an Apple developer certificate with a private RSA key. Then there's an unauthenticated real-time streaming protocol (RTSP) server, so if you can reach the camera's TCP port 10554, you can watch what it sees.The camera connects to the cloud by default to be can be remotely controlled by a smartphone app. All an attacker needs to commandeer a camera is one of these apps (Kim tried P2PWificam and Netcam360), and the serial number of the target.
Kim notes that such easily attacked cameras could effortlessly be recruited into a botnet. His alert includes proof-of-concept exploit code and the sensible advice that cameras should not connect to the internet.
The vulnerabilities clearly go back a long way, since 3Com's name is in the list of affected gear. Other big names include D-Link, Akai, Kogan, Logitech, Mediatech, Panasonic, Polaroid, and Secam.
Australian readers might want to check out cameras bought from Jaycar, particularly under the QC-38nn model range. ®
PS: Kim thought the security vulnerabilities were within a third-party web server called EmbedThis, which is used by the cameras to provide a user interface. The developers of EmbedThis disagree, and say the flaws are in custom code included by the hardware makers. Kim also named Axis as a vulnerable vendor: Axis says it is "not susceptible to the vulnerabilities stated by Pierre Kim."
-----
Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server
TL;DR: by analysing the security of a camera, I found a pre-auth RCE as root against 1250 camera models. Shodan lists 185 000 vulnerable cameras. The "Cloud" protocol establishes clear-text UDP tunnels (in order to bypass NAT and firewalls) between an attacker and cameras by using only the serial number of the targeted camera. Then, the attacker can automaticaly bruteforce the credentials of cameras.
Subscriber Discussion
185,000+ WiFi Camera Vulnerable
UM
Undisclosed Manufacturer #1
Mar 30, 2017UE
Undisclosed End User #2
Mar 30, 2017Good finding.
Jon Dillabaugh
Mar 31, 2017Good luck getting firmware updates for these! Another reason to buy from a real manufacturer that can provide firmware updates.
New discussion
Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.
Newest discussions