Hundreds of thousands of IP cameras from several vendors are affected by two zero-day vulnerabilities that allow an attacker to hijack the device, use it as a pivot point for other attacks, or spy on the camera's owner.
The zero-days affect the web server built into the firmware of many of these devices, which allows users to connect to the IP camera, configure it, or view a live feed.
CyberReason researchers Amit Serper and Yoav Orot found that this web server ran a version released way back in 2012. Despite being extremely old and outdated, the two also discovered two zero-day vulnerabilities in the server's code that allowed an attacker to take over the device.
The first was a combination of an authentication bypass and an information disclosure that allowed them to access a sensitive server file that contained the device's password.
The second zero-day was a command injection flaw that allowed an attacker to execute code on the server's behalf. Since the server ran as the "root" user, the commands were executed on the underlying Linux-based operating system with all admin privileges.
The two researchers said this flaw affects multiple white-label IP cameras sold online on stores such as Amazon and eBay. The two ordered and tested the flaws on over 30 different camera models, but said that many more could still be vulnerable.
Most of these devices were built with different hardware, but used the same faulty firmware. Almost all are cheap cameras, for which vendors have not bothered providing an over-the-air update system.
Serper says that most of these cameras are unpatchable, mainly due to the fact that some of them can't be traced back to their vendor.
"Other cameras I ordered were literally delivered in a white box without a manufacturer’s name or even a logo, making it impossible to figure out who to contact," he says. "And the cameras weren’t much help in revealing what company made them: they weren’t branded."
And even if they were, Serper says vendors didn't bother replying emails. In fact, Serper says he and Orot discovered the zero-days a few years back, but only now bothered to write about them seeing the recent DDoS attacks carried out with IoT botnets.
The fear of helping crooks expand IoT botnets has kept the two researchers from publishing any technical details about the two zero-days and any sample of the exploit code. Serper did, however, post online a video of himself taking over one of the cameras.
The two researchers also declined to name the vulnerable IP camera brands they managed to identify, so as not to tip off botnet operators about possible targets they could exploit.
Nevertheless, in order to help the people that bought and deployed such devices, the two created a website where IP camera owners can answer a few questions and see if they're in possession of one of the IP camera models affected by these two zero-days.
There are two dead giveaways. One is that the camera's default password is "888888," and the second is in the camera's serial number. If this serial number ID (usually printed on the sticker on the bottom of the camera, or on its box) starts with the following strings of characters, then the camera is most likely vulnerable.
"The only way to guarantee that an affected camera is safe from these exploits is to throw it out," Serper said, "Seriously."
Serper then goes on to say that there could be another way to update these devices, and that's by using a script he created.
"The script, however, includes the exploits’ code," the researcher sadly explains. "This means attackers could use the script for nefarious purposes, so I don’t want to release it."
Below is a video of Serper talking about his discovery.