FLIR Thermal Camera Multiple Vulnerabilities, Patch Released

By: Brian Karas, Published on Oct 03, 2017

Multiple cyber security vulnerabilities exist in FLIR thermal cameras, which have not been fixed, despite being reported months ago. UPDATE- FLIR has released patches, which are covered in this report.

In this note, we examine the vulnerabilities, share our test results of vulnerable FLIR cameras, review FLIR's response and the impact on the company. 

******** ***** ******** *************** exist ** **** ******* cameras,***** **** *** **** fixed, ******* ***** ******** months ***. ******- **** has ******** *******, ***** are ******* ** **** report.

** **** ****, ** examine *** ***************, ***** our **** ******* ** vulnerable **** *******, ****** FLIR's ******** *** *** impact ** *** *******. 

[***************]

Vulnerabilities ********

***** ****** [**** ** longer *********], * ******** researcher ** ********* ******** ******* ** **** *************** to ****** ********. *** *************** ******* methods ** ******** **** images, *** *****, ******** files *** ***** **** from **** **-****** ******* cameras, ** **** ** hard ***** *********** *** remote **** ********* ********. For *******, *******/******* *** string "/********/*********/******/*******.*** [**** ** longer *********]" **** *** end ** * **** FC ****** ******** ** IP ******* ** * browser **** ***** ******** cameras ** ****** * live ***** (*.*.: ****://***.***.**.**:****/********/*********/******/*******.***).

** *****, ***** ******** enable ********* ** ******** data *** ****** **** the *******, ** **** as ******* ******* ******** that ***** **** ** a ******** ******* ** the ******, ********** ******** attackers ** ****** *** execute ****** ****.

 

Vulnerability ********

** ******** *** *************** ** ********** live ****** *** ******* files **** ** /***/****** from ******** ********** ******* found *** ******. **** examples ** ****** *********:

  

******** *** /***/****** **** on ********** ******* ***** the **** **** ******** used ****** *** ******** of *******:

**** ********** **** *** claim ** ****-***** *********** in *** ************* *******, as ** ** ******** otherwise **** ** **** cameras ***** **** *** same ********* ******** ****** for *** **** ****.

No ******** *** ********* 

Updated ******** ********

****** - ****** ******** pataches **** *** ********* at *** **** ** our ******** ***********, **** have ***** **** ********.

**** ******** * ***** for ***** *************** [**** no ****** *********]. ******* instructions *** ******** ** the release ***** *** *** patch [**** ** ****** available], ***** ******** ******** each ****** ************ *** its *** *********. ******* this ** * *****, and *** * **** firmware *******, ***** **** to ***** ** ** a ********* ******* (*.*.* or *.*.*), *** **** need ** ****** ***** firmware ** *** ** these ******** ****** ******** the ***** ** ******* older ******** ** *** camera.

****'* ******** ******** ********* *** **** ****** firmware *** **-****** ******* as *-**-****, **** ****** this ************* *** ********:

FLIR Limited / **** ********

********* ****'* ******* *** comment ** **** ** September ****, **** ****** a ************* ******** ** October *** [**** ** longer *********], **** ******* ***********. **** comes * ****** ***** the ******* ****** ** FLIR ** ***** ***************, and **** *** ******* which ****** *** ********, or **** ********* *** expect ******* ********. *** bulletins **** ************** ** to *** ***** ******** access ** **** *******:

** ****** ****, ** recommend **** ********* ***** cameras **** ** ******, secured ********.

*** ****** ******** **** also ********* * **** of ************** **** ****, stating "** *** *** a *** ** ********** have **** ******** *** the ********* ***************."

**** ***** ***-***** *** *********** who *** ***** ** have **** ******* ** use ** ******** ************** sites, **** ******** ***** contacted ** **** ** warn **** ** ***** vulnerabilities ****** *** ******* 2nd *******.

Minimal ****** *******

*** ****** ** **** scans ******** *** **** ******* **** very *** ******* ** accessible *******:

**** ** *******, ***** that **** ******* ******* are **** *********, ***** not ** ******** **** as "*******", *** *** frequently ********* ** * VMS. *******, * **** ** the ********* ******* ****** that **% ** **** were ******** ** **** vulnerability.

Impact *********

****** ******* **** ******* accessible ******, ******* ** those ******* ******* ********* for **** ****/******** ** the ***** ***** ****. FLIR thermal ******* *** ********* deployed ** ******** ************** sites, ** ***** **** high ***** ******. ************, these ******* *** ***** linked ** ***** ********* systems *** ********* ********* warnings. * ************* **** allows ** ******** ** view *** ******'* ******** area, ** *********** ***** settings ** ******* *****/****** analytics ******* * **** more ****** **** **** disabling * ****** *********** a ***** ********.

************, **** ********* **** the ****** **** ***** settings, *********, ** ***** data ***** ****** *********** sensitive *********** ***** *** ******** network ************ ** ***** devices ** ***. ******* could **** *********** ** exploited ** ***** ***** access, ****** ********* ****** to *** ******** ******* the ****** ******* **.

In ******** ** **** ***** *** ***************

***** *************** *** ******** and ********** ** ****************** **** **** *** been ******* ** **** their ****** ** *********** *** ********* ** their *** *** ***** lines.

Vs ********* ********

***** **** *************** ** not ***** ***** ** circumvent ************** ** ***** to * ******* *** *********, or ** ***** ** retrieve **** ********* ********. However, *** ****-***** *********** in *** ***** ** could ** **** ** access * ******* ********* if *** *** ********** ** the ***** (*** *** is ******** ** *******).

**** ************* *** ************ to *** ********* "***** ******" ******* ** **** ** **** not ******* *** ************** or ******* ****** ** access *** ******** ********, but ** ** **** critical ** **** ** cannot ** **** ** reset ** ******** ** admin ******* *** **** full ****** ** *** camera.

Poor ******** ***** ** ****

****'* **** ** * timely ******** ** ********* customers *** ********** ***** vulnerabilities *** ******** ** harm ***** ******* ********** ******** ********.

********* *** ******** ***** *** ******* cameras, ******* ******** ** FLIR, *** *** ********* avoided **** ** *** bottom ******** ** **** segment. A ****** ******** **** legacy ************* *** **** to ***** *** *********'* multiple ******** ***************, *** failure ** ******* ***** proactively, ** ** *******: ********* ***** **** *** Security ****** *** **** Bad *****.

**** **** *************, **** has ****** ********** **-*** with ********* ** ***** ** ease ** ******* *** handling ** ********* ************* to *********, **** ****** eroding ***** *** ******* price ************* *** ***** has ***** **** *********** and ***-*****.

 

Comments (6)

I'm curious if and how FLIR will react to this ☺️

Well done IPVM, thank you! 

Doesn’t Dahua actually assemble the Flir TC series? Are we sure of who makes the FC series? I only have had my hands on the FC-618 for a short period and don’t recall at the moment if it was Dahua-esque. 

The FC series is done 100% by FLIR, including assembly. 

It might be beneficial to search for FLIR OEM partners that just use FLIR's thermal modules and combine it with a custom (and more secure) encoder chipset (which includes all network functions).

I do not want to do any promotion here, but these partners exist. 

There is now a software fix available from FLIR for these vulnerabilities, the report has been updated with the following section to address this:

UPDATE - Patch Released

FLIR released a patch for these vulnerabilities. Upgrade instructions are outlined in the release notes for the patch, which requires updating each camera individually via its web interface. Because this is a patch, and not a full firmware release, users need to first be on a supported version (1.3.4 or 1.3.5), and will need to update their firmware to one of these versions before applying the patch if running older software on the camera.

This is good information guys, thanks!

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports

HTTPS / SSL Video Surveillance Usage Statistics on Apr 01, 2019
HTTPS / SSL / TLS usage has become commonplace for websites to improve security and, in particular, to help mitigate attackers reading or modifying...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Remote Access (DDNS vs P2P vs VPN) Usage Statistics 2019 on Oct 25, 2019
Remote access can make systems more usable but also more vulnerable. How are integrators delivring remote access in 2019? How many are using...

Most Recent Industry Reports

Latest London Police Facial Recognition Suffers Serious Issues on Feb 24, 2020
On February 20, IPVM visited another live face rec deployment by London police, but this time the system was thwarted by technical problems and...
Masks Cause Major Facial Recognition Problems on Feb 24, 2020
Coronavirus is spurring an increase in the use of medical masks, which new IPVM test results show cause major problems for facial recognition...
Every VMS Will Become a VSaaS on Feb 21, 2020
VMS is ending. Soon every VMS will be a VSaaS. Competitive dynamics will be redrawn. What does this mean? VMS Historically...
Video Surveillance 101 Course - Last Chance on Feb 20, 2020
This is the last chance to join IPVM's first Video Surveillance 101 course, designed to help those new to the industry to quickly understand the...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see, especially because most look and feel the same. Even insecure 125 kHz...
AI/Smart Camera Tutorial on Feb 20, 2020
Cameras with video analytics, sometimes called 'Smart' camera or 'AI' cameras, etc. are one of the most promising growth areas of video...
China Manufacturer Suffers Coronavirus Scare on Feb 20, 2020
Uniview suffered a significant health scare last week after one of its employees reported a fever and initially tested positive for coronavirus....
Cheap Camera Problems at Night on Feb 19, 2020
Cheap cameras generally have problems at night, despite the common perception that integrated IR makes cameras mostly the same, according to new...
Milestone Launches Multiple Cloud Solutions on Feb 18, 2020
Milestone is going to the cloud, becoming one of the last prominent VMSes to do so. Milestone is clearly late but how competitive do these new...
Video Surveillance Architecture 101 on Feb 18, 2020
Video surveillance can be designed and deployed in a number of ways. This 101 examines the most common options and architectures used in...