Exploiting Network Security Cameras: Understanding and Mitigating the Risks

Security cameras are an important tool for protecting homes and businesses. While they provide valuable assurance for physical assets, they also often expose interfaces that allow users to manage the device over the network, presenting a number of potential cybersecurity risks.

In this article, we will explore the potential dangers associated with IP-enabled security cameras, including a case study of a vulnerable device.

Common Vulnerabilities

Outdated Software Versions

Manufacturers are constantly competing to release their product as soon as possible to build a larger market share with their solution. Physical products can take a significant amount of time to reach shelves from initial design, and companies often start production without necessarily considering the security implications.

The primary issue with this is that firmware is usually several weeks, or even months, out of date by the time the product reaches consumer shelves. According to NIST, 2021 saw an average of 50 CVEs disclosed each day, meaning that the likelihood of a security camera being vulnerable to a new CVE before it is even unboxed and installed increases every day the camera sits on a shelf.

In March 2021, researchers found that the firmware for TP-LINK TAPO C200 cameras up to and including version 1.1.15 allowed for attackers to take advantage of the uhttpd binary running as root. Exploiting this vulnerability gave attackers full remote control of the camera. This means that the camera was vulnerable right from its initial release, and threat actors could have taken advantage of this months before the vulnerability was publicly disclosed.

This is not the only high impact issue found within TAPO C200 cameras since its initial release in September 2019. In July 2020 it was found that the camera was vulnerable to the well-known Heartbleed vulnerability, allowing attackers to gain unauthorised access to the camera’s API. Attackers were able to make API calls, moving the camera motor, erasing the contents of the device’s external storage, and even creating new user accounts to access the camera’s live viewing feature.

Default and Weak Credentials

Weak and default passwords are still a common problem for network defenders, and security cameras are no exception. Most, if not all, IP cameras provide a Graphical User Interface (GUI) for their users. Some also like to provide terminal based access to configure settings that are not available through the GUI. Both points of access sometimes only have one account type, administrator level, so password security should be considered high priority.

Often, default accounts use weak or hardcoded credentials, or even have no password at all – just requiring a username. With hardcoded credentials, it is impossible for users to change or delete weak credentials, posing an ongoing and unpreventable risk of compromise.

Accessible over the Internet

With some cameras offering remote security monitoring, this requires inbound connections via the internet. Services such as Shodan, Zoomeye and LeakIX exist as search engines to allow users to search for things connected to the internet. A large portion of these results include IP cameras, security or otherwise, meaning that there is a large database of potentially vulnerable IP cameras one click away for anyone to potentially view, connect to, and even target with further attacks.

Graphical user interface, website Description automatically generated

Attackers are able to filter through port numbers, brand names and versions of software if the device discloses it (for example, via response headers). This could allow targeted attacks against device models with known vulnerabilities.

A Deeper Dive

Using one particular camera as an example it is possible to demonstrate some of these risks. A low cost CACAGOO security camera was chosen for this, which offers remote control access to the camera via a mobile application as well as onboard and cloud storage. This makes it an attractive option for businesses looking for a quick and cheap solution to physical security, however it contains two publicly known vulnerabilities.

  • CVE-2020-9349 – The CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 allows access to the RTSP service without a password.
  • CVE-2020-6852 – CACAGOO Cloud Storage Intelligent Camera TV-288ZD-2MP with firmware 3.4.2.0919 has weak authentication of TELNET access, leading to root privileges without any password required.

Gaining Access 

The camera only has one port open to the outside world, which is telnet – a cleartext protocol accessible over TCP port 23.

Text Description automatically generated

Given that telnet is a cleartext protocol, a well-positioned attacker could potentially intercept and view credentials in transit.

Graphical user interface, application Description automatically generated

If exposed to the internet, an attacker could also attempt to guess the default username and password, e.g. admin:admin or admin:password. In fact, this telnet service does not have a password set for its user, and it is possible to login to the device just by entering root as the username in order to take complete control of the host.

Text Description automatically generated

With root access an attacker is now able to access everything on the camera. They are currently not able to view the live feed of the camera but still able to access its SD card storage.

What Else Can We Find? 

The camera is full of default installation files that can be viewed freely but contain nothing particularly interesting. Within /var/tmp/sd/ there are three items – two log files and a directory called record. The directly is where the camera stores all the data saved on the SD card. This would allow an attacker to download images and videos from the camera and use them to view everything the camera has captured within a certain timeframe.

A screenshot of a computer Description automatically generated with low confidence

The log files are particularly interesting. They log everything since the initial setup of the device, including when the camera takes a video or photo and even every time the camera is adjusted by its controls. The most interesting element of the log files though is that it logs the SSID and password for the wireless networks it has connected to.

Graphical user interface, text Description automatically generated

It also appears to have sent the SSID for the router through to an API. Upon further investigation it shows that the API is hosted by Alibaba’s AliCloud service in Frankfurt.

A legitimate attacker would be likely to focus further efforts against this API in an attempt to gain access to other user’s backups and configuration details.

Conclusion

Some manufacturers of IP cameras overlook or ignore potential network security threats. If a security camera is compromised, the consequences can be significant for both the organization using the camera and the individuals being monitored. In terms of physical security, a compromised camera may not be able to effectively monitor and protect a location, potentially allowing unauthorized individuals to enter the premises undetected. In addition to this, an attacker could potentially use this access to launch further cyber-attacks against the infrastructure, disrupting operations or even using the device to deliver malware to the organization’s network.

The impact of a security camera being compromised can therefore be far-reaching and potentially catastrophic. It is important for organizations using security cameras to take steps to protect against these risks, such as securing the device with a strong password and keeping it and its software up to date. By taking these precautions, organizations can help to ensure that their security cameras are able to effectively monitor and protect their premises and networks.

The post Exploiting Network Security Cameras: Understanding and Mitigating the Risks appeared first on Nettitude Labs.

Article Link: Exploiting Network Security Cameras - Nettitude Labs