Vulnerabilities in hundreds of thousands of IP cameras render them susceptible to malware compromise, which could eventually result in them being ensnared into Internet of Things (IoT) botnets, Cybereason security researchers warn.
These flaws aren’t related to the Mirai botnet that became a celebrity over the past few months, but they can be as damaging, the security researchers say. The vulnerabilities were initially discovered two years ago in IP cameras bought online, and Cybereason’s Amit Serper says that only 6 hours were needed for the discovery.
The issues have been already discussed by other researchers, but Serper says that not only haven’t these vulnerabilities been patched until now, but the exploits available for them make them even more dangerous than believed. The worst part, they say, is that the hundreds of thousands of cameras that are affected are spread worldwide.
Most of the impacted devices run older versions of Linux, like version 2.6.26, but there are also some models powered by version 3.0 and up. Regardless of the operating system, however, all the cameras were found to run extremely old and vulnerable software. The Web server in many of them was from around 2002, the researchers say.
The vulnerabilities, which Cybereason says are two zero-day flaws, impact IP cameras readily available on Amazon from several vendors. At least 31 camera models from different retailers on Amazon are vulnerable, and one of the vendors even claims that its users will no longer have “security vulnerability worries” when purchasing its devices. The camera, the vendor claims, will inform users when they have a weak password and packs other security features as well.
The first bug is a combined authentication bypass and information disclosure, which allowed the researchers to request any file in the Web server folder. Because a file that contained important information such as the passwords people used when accessing the camera was present in that folder, the vulnerability could be used to retrieve that password.
What’s more, the affected camera didn’t even allow users to set strong passwords, because it would only accept those that included “all numbers or all lowercase characters or all uppercase characters.” With the password in their hands, the researchers could then execute their exploit and inject commands via Web server, which runs as root. Thus, even if users changed their passwords, an attacker would still have control of the camera, since they have root access.
“In addition to being able to move the camera and see the images it’s sending (or make it send different images), I can also execute code. And by using a site like Shodan or Censys, which lets people search for specific devices connected to the Internet, I can run queries, find other cameras with the vulnerabilities, execute malicious code on them and within minutes build a botnet of hundreds of thousands of devices,” Cybereason’s researcher explains.
To ensure that adversaries don’t attempt to exploit the vulnerable devices, the researchers decided not to reveal the technical details pertaining to these issues, nor the vulnerable camera models. However, they do say that they already notified the vendors and the companies that assemble the cameras on these vulnerabilities, but that no reply has been received so far.
“Some companies, especially those that crank out cheap IoT products, aren’t interested in or can’t patch their products. They’re focused on getting a device to market as quickly as possible, reducing security to an afterthought. In many cases, developing and selling a new model that addresses the exploit is easier and more lucrative than repairing the flawed models, either through a recall or by issuing a software update,” Serper says.
In the case of the vulnerable IP cameras, software updates aren’t possible, meaning that the vulnerabilities remain there. The only manner in which users could stay safe from the flaws is to throw away a vulnerable product, the researchers say. They also released a tool and information on how users could discover whether their cameras are vulnerable or not.