Big Security Hole in Surveillance Cameras

By: Ethan Ace, Published on Feb 06, 2012

The mainstream press has been abuzz with an IP camera vulnerability that allows people from anywhere on the Internet to directly and easily access TRENDnet cameras without any authentication. In this note, we explain how it was done, why we believe Trendnet engineers had to know about it and what implications this has for the rest of the surveillance industry.

Firmware Exploit

While it took real skill for an outsider to find the exploit, usig the exploit itself is very simple. Basically, a standard URL exists that if entered provides direct access to the MJPEG video stream without any restrictions.

The hacker deconstructed Trendnet's firmware, manually inspecting the enclosed files. This inspection revealed multiple CGI scripts used for requesting live video. Trendnet had left a folder called 'anony' (as in anonymous access). In that folder is a file named mjpg.cgi. A request to that file returns a live video stream (e.g., http://192.168.1.17/anony/mjpg.cgi). Here's what the basic queries look like on a Linux distrobution:

The hacker then detailed a method by which users were able to search for Trendnet cameras available on the internet. Taking this information, active internet messageboards, such as Reddit and 4chan, set about finding as many open camera feeds as possible, sharing lists of IP addresses of cameras as they were found. This led to likely hundreds of readers of these sites viewing feeds and capturing stills from hundreds of IP cameras, many in private residences, along with businesses. 

Some of these captures are extremely disconcerting, looking directly into users' homes:

We suspect that Trendnet engineers knew about this security flaw, simply because it is an obvious, "in plain sight" feature for an engineer, likely used as a backdoor or a shortcut by their internal team to do testing. 

Trendnet's Response

Trendnet has since released an apology and firmware update for affected cameras. However, notice of this firmware update was sent only to those users which registered their Trendnet camera, which is typically a small percentage. Additionally, given Trendnet's position in the industry, as a low-cost manufacturer often used for residential and small business systems by less tech-savvy users, many users will be unlikely to ever hear about this issue and subsequent fix, leaving them vulnerable indefinitely. 

Implications for the Industry

While this exploit was performed on cameras from Trendnet, a minor presence in the professional surveillance industry, the implications it has for the industry as a whole are potentially huge. With so many different IP cameras available, chances are high that issues such as this exist in other manufactuers' lines. The exact hole will likely not be the same but the end result may be.

Cameras in corporate environments may be of less concern, as they are most often running on networks behind firewalls, internal to a facility. However, an attacker who gains access to the network could still use holes such as these to view feeds directly from cameras.

Comments : Members only. Login. or Join.

Related Reports

Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Mobotix First CNPP CCTV Cybersecurity Certification Examined on Sep 05, 2019
Mobotix recently became the first video surveillance manufacturer to receive the CNPP cybsersecurity certification for its cameras, in which they...
Warning: Windows 7 Update Crashing NVRs on Aug 26, 2019
Windows 7 updates are causing VMS servers to fail to boot. After running the update, impacted systems do not boot as normal, instead display this...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Axis Suffers Outage, Provides Postmortem on Aug 15, 2019
This week, Axis suffered an outage impacting their website and cloud services. Inside this note, we examined what happened, what was impacted...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...

Most Recent Industry Reports

Embedded Logix Thermal Temperature Detection System Examined on Apr 08, 2020
Embedded Logix has been producing thermal temperature measurement systems for industry and fire detection for over 10 years. Now, they are entering...
Micron 1 TB SD Cards Aim To Eliminate NVRs on Apr 08, 2020
Micron has boldly proclaimed their latest 1TB microSD "eliminates the need for network video recorders", targeting the growing market of...
US DoD Declares "Can No Longer Do Business" With Contractors Using Dahua, Hikvision, Huawei on Apr 08, 2020
The US Department of Defense has confirmed to IPVM that they fully support and intend to proceed with the NDAA 'blacklist clause' covering Dahua,...
IPVM's 12th Anniversary - Thank You! on Apr 07, 2020
IPVM is proud to celebrate it's 12 anniversary expanding our commitment to providing the industry independent and objective information on video...
Mobotix Thermal Body Temperature Detection Examined on Apr 07, 2020
Mobotix has jumped into the Coronavirus temperature detection market, but how do they compare to thermal incumbents like FLIR or ICI who have been...
Verkada Coronavirus Response: Free Temp Systems For Government and Health Care on Apr 07, 2020
Verkada has built a reputation on giving away things for free - free Yeti Tumblers, free trial cameras and now free temporary systems for...
Hikvision USA Refuses, Dahua USA Drives Forward With "Coronavirus Cameras" on Apr 07, 2020
Both have been federally banned, both sanctioned for human rights abuses but only one - Dahua - is taking aim at the booming "coronavirus cameras"...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the West in the past few years, China is now saying those vulnerabilities...
USA ICI Elevated Skin Temperature Detectors Examined on Apr 06, 2020
Infrared Cameras, Inc. (ICI) is aiming to help slow the spread of COVID-19 with "pinpoint accurate skin temperature measurement" using their...
Trade Groups Request NDAA Blacklist Delay Citing Coronavirus on Apr 06, 2020
Two trade groups representing government contractors have asked Congress to delay implementation of the NDAA's 'blacklist' clause from this August...