Wi-Fi Cameras Vulnerable to Botnet

Friday, March 10, 2017 @ 11:03 AM gHale


Mirai botnet a little bit ago proved it was possible to create a string of attacks together from various – and not typical – Internet of Things (IoT) devices.

It now looks like another device is susceptible to falling victim to a botnet.

RELATED STORIES
Botnet Capable of Becoming DDoS
Trojan Hits Android Devices
Botnet Propagates via Thumb Drives
Hacker Hijacks Printers

That is because a wireless camera manufactured by a Chinese company and sold around the world under different names and brands can easily end up taken over or falling victim to a botnet.

The flaw that allows this to happen is found in a custom version of GoAhead, a lightweight embedded web server that is in the devices, which are over 185,000.

Security researcher Pierre Kim discovered the vulnerabilities when he tested one of the branded cameras, the Wireless IP Camera (P2P) WIFICAM.

“This vulnerability allows an attacker to steal credentials, ftp accounts and smtp accounts (email),” Kim said in a blog post, where is also lists all vulnerable devices.

The summary of the vulnerabilities is:
1. Backdoor account
2. RSA key and certificates
3. Pre-Auth Info Leak (credentials) within the custom http server
4. Authenticated RCE as root
5. Pre-Auth RCE as root
6. Misc – Streaming without authentication
7. Misc – “Cloud” (Aka Botnet)

Kim also released a PoC exploit that leverages the flaw to allow an attacker to achieve root shell on the device.

Other vulnerabilities present include a RTSP server running on the camera’s TCP 10554 port, which can end up accessed without authentication, allowing attackers to watch what the camera streams.

There is also a “cloud” functionality that is on by default, through which the camera can end up managed via a mobile Android app. The connection between the two ends up established through UDP, and will automatically connect any app that “asks” if a particular camera is online. Effectively, the attacker needs to know the serial number of the device.

The established UDP tunnel can also end up used by the attacker to dump the camera’s configuration file in cleartext, or to bruteforce credentials.

“The UDP tunnel between the attacker and the camera is established even if the attacker doesn’t know the credentials,” Kim said. “It’s useful to note the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials. Then, the attacker can just try to bruteforce credentials of the camera.”

Kim said users should disconnect them from the Internet. A search with Shodan revealed there are over 185,000 vulnerable cameras.

The vulnerabilities are not in GoAhead, but the custom version of the web server developed by the Chinese OEM vendor.



Leave a Reply

You must be logged in to post a comment.