200,000 Wi-Fi Cameras Vulnerable To Hacking

As many as 200,000 Wi-Fi connected webcams were found to be vulnerable to hacking according to BleepingComputer.

While investigating a security flaw within a product called Wireless IP Camera (P2P) WIFICAM produced by an unknown Chinese manufacturer, several vulnerabilities within the server that Wi-Fi cameras were connected to were discovered. The vulnerabilities allow anyone to access as many as 250,000 webcams connected to the company’s servers.

Pierre Kim, a digital security researcher, stated that the camera firmware created by the Chinese vendor had several flaws which have been transferred into the products of other companies that bought the unbranded camera to sell. It’s estimated that nearly 1,250 camera models that were based on the original camera are open to these security flaws.

The GoAhead web server, designed to allow camera users to access their home security cameras from anywhere, is reportedly the root of the vulnerabilities. Problems with the server’s security allowed the cameras to be accessed by anyone. Kim stated that there were seven vulnerabilities in the cameras. BleepingComputer posted the biggest ones below:

Backdoor account – Telnet runs by default, and everyone can log in with the following credentials.
root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh

Pre-auth info and credentials leak – An attacker can bypass device authentication procedures by providing empty “loginuse” and “loginpas” parameters when accessing server configuration files. This allows the attacker to download device configuration files without logging in. The configuration files contain credentials for the device, and its FTP and SMTP accounts.

Pre-auth RCE as root – An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.

Streaming without authentication – An attacker can access the camera’s built-in RTSP server on port 10554 and watch a live video stream without having to authenticate

Cloud – The camera provides a “Cloud” feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device’s credentials. Kim says this Cloud protocol was found in multiple apps for multiple products, and at least 1,000,000 devices (not just cameras) seem to rely on it to bypass firewalls and access closed networks where devices are located, effectively defeating the protection those private networks provide.

“I advise to IMMEDIATELY DISCONNECT cameras [from] the Internet,” Pierre Kim said in a blog post. “Hundreds of thousands [of] cameras are affected by the zero-day info-leak. Millions of them are using the insecure Cloud network.” A full list of all the 1,250+ vulnerable camera models can be found on Kim’s blog.

**UPDATE**

Embedthis states that there is no vulnerability in the GoAhead server software, and Kim has issued an update to his original report, stating:

Following exchanges with Embedthis Software, it appears the vulnerabilities are not located inside GoAhead but from custom and proprietary development by the Chinese OEM vendor.