Vulnerabilities in hundreds of thousands of IP cameras means they could fall victim to malware compromise, researchers said.
While not related, last month, the Mirai botnet ended up incorporating Internet of Things (IoT) devices like IP cameras and other similar devices to set off a distributed denial of services (DDoS) attack.
These most recent vulnerabilities initially ended up discovered two years ago in IP cameras bought online, said Cybereason’s Amit Serper in a blog post. He said it only took 6 hours for the discovery.
Not only have these vulnerabilities not been patched, but today’s exploits make them even more dangerous, Serper said.
The hundreds of thousands of affected cameras are spread worldwide.
Most of the susceptible devices run older versions of Linux, like version 2.6.26, but there are also some models powered by version 3.0 and up. Regardless of the operating system, however, all the cameras ran extremely old and vulnerable software. The Web server in many of them was from around 2002, the researchers said.
The vulnerabilities, which Cybereason said are two Zero Day flaws, impact IP cameras readily available from several vendors. At least 31 camera models from different retailers on Amazon are vulnerable, and one of the vendors even claims that its users will no longer have “security vulnerability worries” when purchasing its devices.
The first bug is a combined authentication bypass and information disclosure, which allowed the researchers to request any file in the Web server folder. Because a file that contained important information such as the passwords people used when accessing the camera was present in that folder, the vulnerability could end up used to retrieve that password.
“I also found out even if you want to set a strong password (even though we have the ability to just ask the camera for the password), you simply cannot, because of the fact the developer used an ‘or’ operand instead of an ‘and.’ That means a password can only be all numbers or all lowercase characters or all uppercase characters,” Serper said.
“Having the password allowed me to use the exploit I discovered. This exploit lets me inject commands via Web server, which is important since the Web server itself runs as root, all Web server commands run as root as well. And since I have root access, it doesn’t matter if users change their passwords: With root access, I can always take control the camera. In addition to being able to move the camera and see the images it’s sending (or make it send different images), I can also execute code.”
In the case of the vulnerable IP cameras, software updates aren’t possible, meaning that the vulnerabilities remain there. The only manner in which users could stay safe from the flaws is to throw away a vulnerable product, the researchers say.
Cybereason released a tool and information on how users could discover whether their cameras are vulnerable or not.