Vulnerabilities found in video surveillance products from AVTECH could end up exploited by Internet of Things (IoT) botnets, researchers said.
Taiwan-based AVTECH offers a wide range of IP cameras, CCTV equipment and network recorders. The Taiwan-based AVTECH has no connection to U.S.-based AVTECH, which provides environment monitoring solutions.
All AVTECH devices and all firmware versions suffer from security holes, including flaws that could allow attackers to take control of vulnerable cameras and recorders, said Search-Lab Researcher Gergely Eberhardt in a blog post.
The most serious issues uncovered could end up exploited to bypass authentication and inject arbitrary commands (both with and without authentication). The researcher also determined the devices do not protect against cross-site request forgery (CSRF) attacks, store admin passwords in plain text, use HTTPS without certificate verification, and expose potentially sensitive configuration data.
The web-based administration interface of AVTECH devices ends up protected by a CAPTCHA system to prevent brute-force attacks, but attackers can easily bypass the mechanism. Eberhardt found two methods to bypass CAPTCHA.
While there is no evidence the vulnerable AVTECH products are a part of a botnet, researchers said one of the authenticated command injection flaws has suffered exploitation.
Search-Lab has attempted to inform AVTECH of the vulnerabilities on several occasions between October 2015 and September 2016. Since the vendor hasn’t responded, the company decided to make its findings public and release proof-of-concept (PoC) code.