Friday March 10, 2017

200,000 Wi-Fi Cameras are Open to Multiple Hacks

200,000 Wi-Fi cameras are currently online and open to hacking due to a Chinese firm's intentional installation of a backdoor into the firmware at the production factory. To be exact there are seven potential backdoor hacks that can be performed on these cameras to exploit them. These cameras are sold generically as white label goods to other vendors to brand as their own. The model number of the white label camera is Wireless IP Camera (P2P) WIFICAM. The staggering list of models affected has exceeded 1,250! We have endured DDOS attacks from snack machines, and teddy bears spying on users. The IoT strikes again!

News Image

  • Backdoor account - Telnet runs by default, and everyone can log in with the following credentials. root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh

  • Pre-auth info and credentials leak - An attacker can bypass device authentication procedures by providing empty "loginuse" and "loginpas" parameters when accessing server configuration files. This allows the attacker to download device configuration files without logging in. The configuration files contain credentials for the device, and its FTP and SMTP accounts.

  • Pre-auth RCE as root - An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.

  • Streaming without authentication - An attacker can access the camera's built-in RTSP server on port 10554 and watch a live video stream without having to authenticate

  • Cloud - The camera provides a "Cloud" feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device's credentials. Kim says this Cloud protocol was found in multiple apps for multiple products, and at least 1,000,000 devices (not just cameras) seem to rely on it to bypass firewalls and access closed networks where devices are located, effectively defeating the protection those private networks provide.