FLIR Thermal Camera Multiple Vulnerabilities, Patch Released

By Brian Karas, Published Oct 03, 2017, 09:11am EDT

Multiple cyber security vulnerabilities exist in FLIR thermal cameras, which have not been fixed, despite being reported months ago. UPDATE- FLIR has released patches, which are covered in this report.

In this note, we examine the vulnerabilities, share our test results of vulnerable FLIR cameras, review FLIR's response and the impact on the company. 

Vulnerabilities ********

***** ****** [**** ** longer *********], * ******** researcher ** ********* ******** ******* ** **** *************** to ****** ********. *** *************** ******* methods ** ******** **** images, *** *****, ******** files *** ***** **** from **** **-****** ******* cameras, ** **** ** hard ***** *********** *** remote **** ********* ********. For *******, *******/******* *** string "/********/*********/******/*******.*** [**** ** longer *********]" **** *** end ** * **** FC ****** ******** ** IP ******* ** * browser **** ***** ******** cameras ** ****** * live ***** (*.*.: ****://***.***.**.**:****/********/*********/******/*******.***).

** *****, ***** ******** enable ********* ** ******** data *** ****** **** the *******, ** **** as ******* ******* ******** that ***** **** ** a ******** ******* ** the ******, ********** ******** attackers ** ****** *** execute ****** ****.

 

Vulnerability ********

** ******** *** *************** ** ********** live ****** *** ******* files **** ** /***/****** from ******** ********** ******* found *** ******. **** examples ** ****** *********:

  

******** *** /***/****** **** on ********** ******* ***** the **** **** ******** used ****** *** ******** of *******:

**** ********** **** *** claim ** ****-***** *********** in *** ************* *******, as ** ** ******** otherwise **** ** **** cameras ***** **** *** same ********* ******** ****** for *** **** ****.

No ******** *** ********* 

Updated ******** ********

****** - ****** ******** pataches **** *** ********* at *** **** ** our ******** ***********, **** have ***** **** ********.

**** ******** * ***** for ***** *************** [**** no ****** *********]. ******* instructions *** ******** ** the release ***** *** *** patch [**** ** ****** available], ***** ******** ******** each ****** ************ *** its *** *********. ******* this ** * *****, and *** * **** firmware *******, ***** **** to ***** ** ** a ********* ******* (*.*.* or *.*.*), *** **** need ** ****** ***** firmware ** *** ** these ******** ****** ******** the ***** ** ******* older ******** ** *** camera.

****'* ******** ******** ********* *** **** ****** firmware *** **-****** ******* as *-**-****, **** ****** this ************* *** ********:

FLIR Limited / **** ********

********* ****'* ******* *** comment ** **** ** September ****, **** ****** a ************* ******** ** October *** [**** ** longer *********], **** ******* ***********. **** comes * ****** ***** the ******* ****** ** FLIR ** ***** ***************, and **** *** ******* which ****** *** ********, or **** ********* *** expect ******* ********. *** bulletins **** ************** ** to *** ***** ******** access ** **** *******:

** ****** ****, ** recommend **** ********* ***** cameras **** ** ******, secured ********.

*** ****** ******** **** also ********* * **** of ************** **** ****, stating "** *** *** a *** ** ********** have **** ******** *** the ********* ***************."

**** ***** ***-***** *** *********** who *** ***** ** have **** ******* ** use ** ******** ************** sites, **** ******** ***** contacted ** **** ** warn **** ** ***** vulnerabilities ****** *** ******* 2nd *******.

Minimal ****** *******

*** ****** ** **** scans ******** *** **** ******* **** very *** ******* ** accessible *******:

**** ** *******, ***** that **** ******* ******* are **** *********, ***** not ** ******** **** as "*******", *** *** frequently ********* ** * VMS. *******, * **** ** the ********* ******* ****** that **% ** **** were ******** ** **** vulnerability.

Impact *********

****** ******* **** ******* accessible ******, ******* ** those ******* ******* ********* for **** ****/******** ** the ***** ***** ****. FLIR thermal ******* *** ********* deployed ** ******** ************** sites, ** ***** **** high ***** ******. ************, these ******* *** ***** linked ** ***** ********* systems *** ********* ********* warnings. * ************* **** allows ** ******** ** view *** ******'* ******** area, ** *********** ***** settings ** ******* *****/****** analytics ******* * **** more ****** **** **** disabling * ****** *********** a ***** ********.

************, **** ********* **** the ****** **** ***** settings, *********, ** ***** data ***** ****** *********** sensitive *********** ***** *** ******** network ************ ** ***** devices ** ***. ******* could **** *********** ** exploited ** ***** ***** access, ****** ********* ****** to *** ******** ******* the ****** ******* **.

In ******** ** **** ***** *** ***************

***** *************** *** ******** and ********** ** ****************** **** **** *** been ******* ** **** their ****** ** *********** *** ********* ** their *** *** ***** lines.

Vs ********* ********

***** **** *************** ** not ***** ***** ** circumvent ************** ** ***** to * ******* *** *********, or ** ***** ** retrieve **** ********* ********. However, *** ****-***** *********** in *** ***** ** could ** **** ** access * ******* ********* if *** *** ********** ** the ***** (*** *** is ******** ** *******).

**** ************* *** ************ to *** ********* "***** ******" ******* ** **** ** **** not ******* *** ************** or ******* ****** ** access *** ******** ********, but ** ** **** critical ** **** ** cannot ** **** ** reset ** ******** ** admin ******* *** **** full ****** ** *** camera.

Poor ******** ***** ** ****

****'* **** ** * timely ******** ** ********* customers *** ********** ***** vulnerabilities *** ******** ** harm ***** ******* ********** ******** ********.

********* *** ******** ***** *** ******* cameras, ******* ******** ** FLIR, *** *** ********* avoided **** ** *** bottom ******** ** **** segment. A ****** ******** **** legacy ************* *** **** to ***** *** *********'* multiple ******** ***************, *** failure ** ******* ***** proactively, ** ** *******: ********* ***** **** *** Security ****** *** **** Bad *****.

**** **** *************, **** has ****** ********** **-*** with ********* ** ***** ** ease ** ******* *** handling ** ********* ************* to *********, **** ****** eroding ***** *** ******* price ************* *** ***** has ***** **** *********** and ***-*****.

 

Comments (6)

I'm curious if and how FLIR will react to this ☺️

Well done IPVM, thank you! 

Agree: 4
Disagree
Informative
Unhelpful: 1
Funny

Doesn’t Dahua actually assemble the Flir TC series? Are we sure of who makes the FC series? I only have had my hands on the FC-618 for a short period and don’t recall at the moment if it was Dahua-esque. 

Agree
Disagree
Informative
Unhelpful
Funny

The FC series is done 100% by FLIR, including assembly. 

Agree
Disagree
Informative
Unhelpful
Funny

It might be beneficial to search for FLIR OEM partners that just use FLIR's thermal modules and combine it with a custom (and more secure) encoder chipset (which includes all network functions).

I do not want to do any promotion here, but these partners exist. 

Agree
Disagree
Informative: 1
Unhelpful
Funny

There is now a software fix available from FLIR for these vulnerabilities, the report has been updated with the following section to address this:

UPDATE - Patch Released

FLIR released a patch for these vulnerabilities. Upgrade instructions are outlined in the release notes for the patch, which requires updating each camera individually via its web interface. Because this is a patch, and not a full firmware release, users need to first be on a supported version (1.3.4 or 1.3.5), and will need to update their firmware to one of these versions before applying the patch if running older software on the camera.

Agree
Disagree
Informative
Unhelpful
Funny

This is good information guys, thanks!

Agree
Disagree
Informative
Unhelpful
Funny
Read this IPVM report for free.

This article is part of IPVM's 6,943 reports, 926 tests and is only available to members. To get a one-time preview of our work, enter your work email to access the full article.

Already a member? Login here | Join now
Loading Related Reports