Kaspersky Lab researchers have discovered multiple security vulnerabilities in Hanwha Techwin brand of IP cameras, sold worldwide as baby monitors, or for internal home and office security surveillance.
According to the research, the uncovered flaws could allow attackers to obtain remote access to video and audio feeds from the cameras, remotely disable these devices or execute arbitrary malicious code on them.
Smart cameras in general tend to contain security vulnerabilities at different levels of severity, experts have found. In this particular case, the vulnerabilities were due to an insecurely designed cloud-backbone system initially created to enable remote access of video from the devices.
The way the cameras interacted with the cloud service was insecure and open to relatively easy interference, the researchers discovered. They also found that the architecture of the cloud service itself was vulnerable to external interference.
It is important to note that such attacks were only possible if attackers knew the serial number of the camera. However, the way in which serial numbers are generated is relatively easy to find out through simple brute-force attacks: the camera registering system didn’t have brute force protection.
By exploiting these vulnerabilities, malicious users could access video and audio feeds from any camera connected to the vulnerable cloud service, and remotely gain root access to a camera and use it as an entry-point for further attacks on other devices on both local and external networks.
Attackers could also remotely upload and execute arbitrary malicious code on the cameras; steal personal information such as users’ social network accounts and information which is used to send users notifications and even remotely “brick” vulnerable cameras.
Following the discovery, Kaspersky Lab researchers contacted and reported the vulnerabilities to Hanwha Techwin, the manufacturer of the affected cameras. At the time of publication, some vulnerabilities had already been fixed, and the remaining vulnerabilities are set to be completely fixed soon, according to the manufacturer.
While doing their research, Kaspersky Lab experts were able to identify almost 2,000 vulnerable cameras working online, but these were only the cameras that had their own IP address, hence were directly available through the internet. The real number of vulnerable devices placed behind routers and firewalls could actually be several times higher.
In addition, researchers found an undocumented functionality, which could be used by the manufacturer for final production test purposes. However, at the same time criminals could use this hidden avenue to send wrong signals to any camera or change a command already sent to it. Besides that, the feature itself was found to be vulnerable. It could be further exploited with a buffer overflow, potentially leading to the camera’s shutdown. The vendor has now fixed the issue and removed this feature.