Amazon's Top Selling IP Camera Wansview - Cyber Security Tested
Wansview is one of Amazon's top-selling IP cameras but how good is the cybersecurity?
In this report we tested Wansview's cybersecurity and examine:
- What cybersecurity issues were found?
- How strong is the app authentication?
- Which public cloud servers is Wansview using?
- Offer a Bug Bounty program?
- Provides Software Bills of Materials (SBOM)?
- Provide required open-source software license?
- What TLS versions are used in the cameras and cloud servers?
Related, see Wansview IP Camera Tested (video performance and general functionality)
Executive *******
****** *** ******* ** ********'* ** camera, **** ********** **** **** * verified *************** ** *** ****** ********, some ** ***** **** ****** ************ and *********.
*** ** *** **************** ** ******** support ** ****'* ******** ********* *** email *** ********* **** * ****, IPVM ******** ** ****/** ** ** attempt ** ********** * *********** **********.
*** ******* ******** **** ******** **** an *******-****** *****, *******, ***** ** shared ***** ******** *******, *****************,******* *******,*******,********* ****, ****************, **** **** *** *** ********** apps.
***** ********** ****-****** ************ (*****) ******** on *** ******* ******, **** ********** a ************* ************* ********** **** ******* GitLab.
*** ************* ******* ** ** ****** sensitive ***********, **** ** ******-**** ****** code, *** ******* ****, ************, ***/******** secret ****, *** **** *********/*********. ** reported *** ***** ** ******* *******, and *** ******** ************ *** *** inaccessible.
** ******** ** *** ******** ***************, we ***** **** *** ******** ****** app **** ****** **************, *** *** v1.3, ***** *** ******* *** *** v1.2. *** *** *** ******* *** pinned ************ ** *********** **** *** cloud, * ****** ************* *******. *******, the ***** ******'* *** ************* ** not *******, ** **** ******* ******* up ** *** **.* ** **.*, while ****** ***** ******** *** **.*.
No **** ****** ******* ***********, *** ******, ****
** ***** *** **** *** ****-****** license *********** *** ****** *** ****** or *** ***. ************, ******** *** not ***** ** ***** * *** Bounty ******* ** ******** ***** ** Materials (****), *** ** **** ******* dedicated ******* *********** *** ********* ***************.
** ***** ******** ** **** *** plans *** * *** ****** ******* or ** ********* ****, *** **** did *** *******.
Wansview ** *************** ***** - ******** ** ****/** - ******** ************
****** *******, **** ********** **** **** 5 ******** *************** ** *** ****** firmware, **** ** ***** **** ****** identifiable *** *********.
******* *** ******** ** ****** ********* contact *********** *** ********* *************** ** Wansview, ** **** ************. *******, **** reached *** ** ******** ******* ******** times *** ***** *** ********* **** the ****** ** * **** ** request *** *********** ******* ***********. *************, Wansview ******* *** *** *******, ******* an ********* ***** ********* * ******** within ** *****.
**** ********,
**** ** ********/******* *******. ***** *** for **** *****.
** *** *** ** *** ****** during *** ************* *******' ***. **** message ** ********* ** **, *** we **** ******* ** **** ** possible.
** *** **** *********** *** ** the ********* ********, *** *** ***** the ************* ******** ** ************ *****.
** **** **** ** *** ***** this *****, ****** ***'* *****. ** will ***** ** *** ****** ** hours, ****** *** **** **** *** understanding.
**** ******** ** ****/** ** ** attempt ** ********** * *********** **********. After * **-*** ******, **** **** publish *** ********** *************** **********.
Wansview ** ****** ******* ******* - ** *** **
****** *******, ** ***** **** *** camera *** *** ***** *** ********* user ********* *** ***** *************. *******, we **** ***** *** ****** *** an **** ****** ********* ** **** 80, ** **** ****** ** **** 554, *** ** ***** ****** ** port ****.
*** **** ****** *** *** **** a ******* ********, *** ***** ** our ******** ** ******** ****** ********, is *** ******** ********** *** ********:
Serial ****** ******* ******* *** *******
*** ** *** ********** *** ******** will ******** *** ****** ****** ** the ** ****** ******* **************. *** deviceId ****** **** "***" *.*. ********:
**** ** * **** ** ******* that *** ****** **** *** ** gather *********** ***** * ****'* ******, identify *** **** ** * ****** and *********** **** ***** ***************.
Wansview ***** ***
*** *********** **** ****** ************** ** using ** ********* ******** ****** *** authentication *******. ***** ********** **************, ******* generates ** ************* ***** **** ** valid *** * *****, ***** *** refresh ***** ******* ***** *** ** days. ** ********, ***** ** **** with *** **.* *** **** ****** is ****** **** ****-***.
*** *********** ******** ******* **** ****** Software ********* **** ************* *** ***** ****** ******* *.*, but ** ***** ** **** ****** Software ******* ****.
****** ********* ******* *.*, ** *** **** *** ********* in ********* *
Camera ***** ******* - ******** ********
*** ******** *** ****** ***** ** change *** ***** *******'* ******** *** password *** *** ******, ***** ******* the ******** **** ******:
*******, *** ******* ******** *** ** located ****** *** **** *** ** clear ****:
** ** *********** ** ******* * password ****** ****** ***** *** **** and ***** ********** *** ******** ** the ***.
ONVIF/RTSP ****** **************
** ***** **** ***** *** **** were ******* ** *******, * ********* security ****, *******, ********* ***** ************ will **** ********** ************** *** ****.
*******
** ***** **** *** ****** *** app *** *** *************.***.*** ******** ** **** *************** **** ** ** * ***** platform *** ***** *****, **** * few ****** ****** ***** *** ******* tab, ********* ********:
AJCloud ****** ** *******
** ***** ****** ********** ******* ***** ** **********.*********, ** *** ** ********** **** the ****** ** ****** ** ******* in *** **, *********, *** *****.
AjCloud ************* ***** - ********* ** *******
**** ********** * ************* ***** ****** to******.*******.***, ***** ******* ** ** **** repositories ******* **************. *** ******** **** us ****** ** ********* ***********, **** as ******-**** ****** ****, *** ******* keys, ************, ***/******** ****** ****, *** SMTP *********/*********.
**** ********/********
******* ********* ****** * ****:
* ** ******* ** ******* ** gratitude *** **** ****'* ****** ************ of * ******** ************* ** *** of *** ********. **** ****** *** thorough ********* ** **** ***** *** helped ** ** **** ********* ****** and ******* *** ****.
* **** ** ****** *** **** we **** ******** ****** **** ********* and **** ******* ***** ***** ** address **** *****. ** **** ********* a ******** ****** ** *** ******* and **** *********** ********** ******** ** ensure *** ****** *** ******** ** our ****.
** ********** **** ********* *** ******* efforts ** **** *** ******** * safer ***** *** ***. ****** *** us **** ** *** **** *** additional *********** ** ****** ********* ******** best *********.
***** *** ***** *** ******** **** matter ** *** *********.
*** ************ *** *** ************, ********** that ******* ******* *** ***** ****** steps ** ******* *** *************, ***** is ***********.
Possible ******* ** *** ******* ****** ****
** ** ******** ***** ****** ** unprotected ****** **********, ******* *********** ******** measures, ** ************ ** ****'* ********* of *******, **** **** *** ********* to ******* ******* ********* *******.
**** ****** ** *** ******-**** ****** code, *** ******** *** ******* *** codebase *** ***************, **** ** **** authentication **********, ********* *****, ** ******** data ********. **** ***** **** ******* these *************** ** **** ************ ****** to *** ********** ******* ** ********** sensitive ****.
*** *** ******* **** *** ************ provide ************* ************** *** ********** ************. If *** ******** ******* ***** ****, they ***** *********** *** ********** ******, decrypt ********* **************, ** **** ********* code, ******* ** ******* *********** ** man-in-the-middle *******.
**** ****** ** *** ** ******** secret ****, **** ***** *** ***** credentials ** ******* ******* ** *** associated ***** ********. **** ***** ******* launching ** *********** *********, ********* ********* data ****** ** *** *****, ********* configurations, ** **** ******** ********** ************ accounts.
** ********* **** ********* *** *********, the ******** ***** ****** *** ***** server's *********. **** *** **** **** or ******** ******, **** ************ ****** to ***** ********, ********* ********* **************, or ******* ****** *********** *******.
Wansview *** ** ******* ***
*** ******* ** **** *** ******** and ******* **** ******* * ********** in ***** ****** *********. *******, ***** attempts **** ******** *****/******** *** *** work **** ******* ***.
***.*******.***************** ** *** **** ** *** Wansview *** ****** ********* ***,******** *****,******* *****,**** ***** ****, ********** ***********, ***** *** **** **** *** same ********** ** ***** ****** *********.
Pinned ************ - *** *** ******
**** ******** *** *** ****** **** Pinned *** ************, ******* *** ***** provider's *** *** ************ *** ********* into *** ******, ***** ******** ***-**-***-****** attacks ***** ***-********** ************:
**** ******* **** *** ****** **** only ******** *********** **** *** ***** server, ***** ** * **** ******** measure. ** **** ********* **** **** analyzing *** ********* ******* ****** *******.
TLS ******* ************
** *** ******* *** ******* ***** the*******.** ****** *** ********** ***** *******, ** observed ************* ** ***** **************. ***** some ******* ******** *** **.*/*.* *** excluded ********* *******, ***** ******* ********* TLS **.* ********* *** **.* *** obsoleted *******.
**** ******* ******* ***** ********** *** v1.1 *** ********* ***/*** *******.
Versions ****
- ******** **: **.*****.**.**
- ******** ***** ******* ***: *.*.********