Researchers have disclosed the details of several potentially serious vulnerabilities affecting thermal security cameras from FLIR Systems, said to be the world’s largest provider of thermal imaging cameras, components and imaging sensors.
The flaws were discovered by Gjoko Krstic of Zero Science Lab and were disclosed over the weekend by Beyond Security. The issues were reported to FLIR on June 27 and while the company responded to Beyond Security’s emails, it did not provide an estimated date for workarounds or patches.
Krstic found various types of vulnerabilities in FLIR’s FC-Series S, FC-Series ID and PT-Series thermal security cameras, including information disclosure, authenticated and unauthenticated remote code execution, and hardcoded credentials issues. The researcher also found a vulnerability that allows an unauthenticated attacker to access a camera’s live feed.
Proof-of-concept (PoC) requests and code have been made available for each of the vulnerabilities.
A scan via the Internet search engine Censys shows that thousands of FLIR thermal cameras are accessible directly from the Internet, which increases the risk of exploitation for the vulnerabilities identified by Kristic.
The researcher discovered that an attacker can leverage API functionality provided by the FLIR web server to download various files from the FLIR OS. He also noticed that the web server does not check if the user is authenticated when they make a request to see the camera’s live feed, allowing an attacker to gain access to the video stream by sending a simple request.
Specially crafted requests can also be used by authenticated and unauthenticated attackers to execute arbitrary code. These security holes are caused by the lack of proper sanitization for user-controlled input.
Finally, Krstic discovered that the code includes various credentials that provide access to the devices.
Contacted by SecurityWeek, FLIR said it’s evaluating Beyond Security’s advisory and promised to provide an update on its findings once its assessment has been completed.
UPDATE 10/17/2017. FLIR told SecurityWeek it has released firmware updates to patch the vulnerabilities.