Hacking into Surveillance Cameras

Wednesday, July 8, 2015 @ 11:07 AM gHale

With physical and cyber security meshing together closer and closer, attackers are able to get in and view surveillance cameras.

One case in point is vulnerabilities ended up discovered in AirLive’s surveillance cameras designed for professional surveillance and security applications, according to a report from Nahuel Riva, a research engineer from Core Security.

Security from an Executive Level
Beta Patches for IP Camera Bugs
IP Camera Holes Allow Video Capture
Viber Android Security Bypass

Riva was able to invoke some computer generated imagery (CGI) without authentication, while backdoor accounts allowed him to execute arbitrary commands on the device.

An attacker who has compromised the camera could see the video stream the camera is transmitting and use the device to compromise other devices/computers on the network.

Vulnerable packages include:
• AirLive BU-2015 with firmware 1.03.18 16.06.2014
• AirLive BU-3026 with firmware 1.43 21.08.2014
• AirLive MD-3025 with firmware 1.81 21.08.2014
• AirLive WL-2000CAM with firmware LM.1.6.18 14.10.2011
• AirLive POE-200CAM v2 with firmware LM.

In the case of the MD-3025, BU-3026 and BU-2015 cameras, the vulnerability lies in the cgi_test.cgi binary file. In the case of the WL-2000CAM and POE-200CAM cameras, the command injection can occur using the vulnerable wireless_mft.cgi binary file.

Core Security notified AirLive on May 4, but never received a response.

You should apply a WAF (Web Application Firewall) rule that would filter the vulnerable request (either the CGI file or the parameters where the injection ends up performed) in order to avoid exploitation.