Get ready for the next camera-botnet: a Chinese generic wireless webcam sold under more than 1,200 brands from 354 vendors has a buggy and exploitable embedded web server.
According to an advisory by security researcher Pierre Kim this week, the flaws lie within the camera's administration interface – plus the firmware opens insecure connections to backend systems.
Kim posted a Shodan.io link that lists more than 185,000 vulnerable Wi-Fi-connected cameras exposed to the internet, ready and waiting to be hijacked. The cameras' CGI script for configuring its FTP server has a remote code execution hole known since 2015, Kim said, and this can be used to run commands as root or start a password-less Telnet server.
There's a folder in the file system,
/system/www/pem/, that includes an Apple developer certificate with a private RSA key. Then there's an unauthenticated real-time streaming protocol (RTSP) server, so if you can reach the camera's TCP port 10554, you can watch what it sees.
The camera connects to the cloud by default to be can be remotely controlled by a smartphone app. All an attacker needs to commandeer a camera is one of these apps (Kim tried P2PWificam and Netcam360), and the serial number of the target.
Kim notes that such easily attacked cameras could effortlessly be recruited into a botnet. His alert includes proof-of-concept exploit code and the sensible advice that cameras should not connect to the internet.
The vulnerabilities clearly go back a long way, since 3Com's name is in the list of affected gear. Other big names include D-Link, Akai, Kogan, Logitech, Mediatech, Panasonic, Polaroid, and Secam.
Australian readers might want to check out cameras bought from Jaycar, particularly under the QC-38nn model range. ®
PS: Kim thought the security vulnerabilities were within a third-party web server called EmbedThis, which is used by the cameras to provide a user interface. The developers of EmbedThis disagree, and say the flaws are in custom code included by the hardware makers. Kim also named Axis as a vulnerable vendor: Axis says it is "not susceptible to the vulnerabilities stated by Pierre Kim."