Security Experts:

Connect with us

Hi, what are you looking for?



Hundreds of Thousands of IP Cameras Exposed to IoT Botnets

Vulnerabilities in hundreds of thousands of IP cameras render them susceptible to malware compromise, which could eventually result in them being ensnared into Internet of Things (IoT) botnets, Cybereason security researchers warn.

Vulnerabilities in hundreds of thousands of IP cameras render them susceptible to malware compromise, which could eventually result in them being ensnared into Internet of Things (IoT) botnets, Cybereason security researchers warn.

These flaws aren’t related to the Mirai botnet that became a celebrity over the past few months, but they can be as damaging, the security researchers say. The vulnerabilities were initially discovered two years ago in IP cameras bought online, and Cybereason’s Amit Serper says that only 6 hours were needed for the discovery.

The issues have been already discussed by other researchers, but Serper says that not only haven’t these vulnerabilities been patched until now, but the exploits available for them make them even more dangerous than believed. The worst part, they say, is that the hundreds of thousands of cameras that are affected are spread worldwide.

Most of the impacted devices run older versions of Linux, like version 2.6.26, but there are also some models powered by version 3.0 and up. Regardless of the operating system, however, all the cameras were found to run extremely old and vulnerable software. The Web server in many of them was from around 2002, the researchers say.

The vulnerabilities, which Cybereason says are two zero-day flaws, impact IP cameras readily available on Amazon from several vendors. At least 31 camera models from different retailers on Amazon are vulnerable, and one of the vendors even claims that its users will no longer have “security vulnerability worries” when purchasing its devices. The camera, the vendor claims, will inform users when they have a weak password and packs other security features as well.

The first bug is a combined authentication bypass and information disclosure, which allowed the researchers to request any file in the Web server folder. Because a file that contained important information such as the passwords people used when accessing the camera was present in that folder, the vulnerability could be used to retrieve that password.

What’s more, the affected camera didn’t even allow users to set strong passwords, because it would only accept those that included “all numbers or all lowercase characters or all uppercase characters.” With the password in their hands, the researchers could then execute their exploit and inject commands via Web server, which runs as root. Thus, even if users changed their passwords, an attacker would still have control of the camera, since they have root access.

“In addition to being able to move the camera and see the images it’s sending (or make it send different images), I can also execute code. And by using a site like Shodan or Censys, which lets people search for specific devices connected to the Internet, I can run queries, find other cameras with the vulnerabilities, execute malicious code on them and within minutes build a botnet of hundreds of thousands of devices,” Cybereason’s researcher explains.

To ensure that adversaries don’t attempt to exploit the vulnerable devices, the researchers decided not to reveal the technical details pertaining to these issues, nor the vulnerable camera models. However, they do say that they already notified the vendors and the companies that assemble the cameras on these vulnerabilities, but that no reply has been received so far.

“Some companies, especially those that crank out cheap IoT products, aren’t interested in or can’t patch their products. They’re focused on getting a device to market as quickly as possible, reducing security to an afterthought. In many cases, developing and selling a new model that addresses the exploit is easier and more lucrative than repairing the flawed models, either through a recall or by issuing a software update,” Serper says.

In the case of the vulnerable IP cameras, software updates aren’t possible, meaning that the vulnerabilities remain there. The only manner in which users could stay safe from the flaws is to throw away a vulnerable product, the researchers say. They also released a tool and information on how users could discover whether their cameras are vulnerable or not.

Related: Backdoor Found in Many Sony Security Cameras

Related: Serious Flaws Expose AVTECH Devices to IoT Botnets

Related: Surveillance Cameras From 70 Vendors Vulnerable to Remote Hacking

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.