XSS vulnerabilities in a video camera monitoring web service that allow cyber-criminals to remotely access user audio/video recording by injecting malicious code.
Avira researchers have identified a vulnerability in a popular internet of things (IoT) home security camera, the Victure PC530. The vulnerability affects user privacy, allowing cyber-criminals to remotely access camera and view users’ homes. It also places other home devices at risk of compromise. This article describes the technical issues behind the vulnerability, but if you would like more general information about the challenges created by such devices, you can read more on the avira.com blog.
CVE Reference: CVE-2019-15940
Device Name: Wireless Security Camera
Firmware Version: 3.13.70
CPU: Grain Media GM81355
Application：iOS & Android
WiFi LAN Frequency：2.4GHz,WPA2 encryption, IEEE802.11b/g/n
SD Card: Max support upto 64G
Researchers at Avira found vulnerabilities in the Victure PC530 surveillance camera that compromise user privacy and cause security risks. They uncovered a security flaw that permits cybercriminals to remotely spy without any form of authentication. This affects the overall security of a home network, and could even impact the global internet infrastructure.
The device is susceptible to a series of authentication bypass vulnerabilities, enabling attackers to remotely gain control of devices, decommission them, or even use them as espionage and surveillance tools.
Exploitation of the vulnerabilities found in the Victure PC530 surveillance camera, could enable attackers to remotely control a relatively large number of smart cameras. From this, attackers could move laterally across networks and extract sensitive information from other devices on the network. They could potentially extort victims by capturing sensitive and private images and videos from their own homes, or instruct cameras to perform massive denial of service attacks and ask for ransom to stop the assaults.
Once telnet is accessed, the system is exposed. The camera then becomes a platform for malicious activities. These can include using the camera to penetrate the network, or the download of tools for spying or running malware.
Avira researchers found that the file system was read-only. However, cameras such as the PC530 typically support external memory cards. Although vendors claim that videos are encrypted and therefore safe from access, an attacker can still install malicious code on the camera using telnet. The camera can then be used for reconnaissance or penetrating other systems on the network. This is demonstrated below:
Avira researchers ran Nmap on the camera, a free and open source network scanner. The camera scanned the network identifying open services on the network which could then be exploited.
Researchers found a FTP service on the network that was vulnerable to vsFtpd Backdoor Command Execution. To replicate a real-world scenario, we sent a linux command to a vulnerable system in the network, and received back a response to CnC (the camera):
Researchers observed that the PC530 supported ONVIF software. Although RTSP is not used by default, if ONVIF is used on the camera, it will use RTSP for streaming. Unfortunately, RTSP has weak authentication for credentials, and is vulnerable to man-in-the-middle intercepts of the password and video stream:
A dictionary-based attack was used to extract the username and password of the camera enabling the live video stream to be accessed. Victure has already stated that there is unencrypted traffic when ONVIF is on, which is a security risk.
Avira researchers also found that ONVIF Manager allows the RTSP address to be found and the URL can be played via Media Player without authentication. The RTSP can then be exposed to the internet. This was accomplished as a proof of concept by running TCPdump on the camera and forwarding the RTSP traffic.
Further analysis of the camera led to the discovery of the gSOAP Integer Overflow Vulnerability CVE-2017-9765. This allows remote code execution and denial of service. Researchers were successfully able to create a denial of service:
Pid 135 is the process responsible for handling the functionality of the camera. The image below demonstrates it is no longer operating.
A carefully crafted input file (payload) to the camera may result in remote code execution.
All manufacturers have a responsibility to ensure they address the lack of sufficient cybersecurity in IoT devices. This is not an issue just for the IP surveillance industry, but for all IoT-based businesses.
Avira researchers recommend that the vulnerabilities in the Victure PC530 smart cameras are addressed as follows:
Last but not least, the lack of sufficient cybersecurity implementations in IoT devices is the next thing to tackle, not only for the IP surveillance industry but for all IoT-based businesses. Learn more about creating a secure IoT environment for customers.