200,000 Wi-Fi Cameras are Open to Multiple Hacks

cageymaru

Fully [H]
Joined
Apr 10, 2003
Messages
20,361
200,000 WiFi cameras are currently online and open to hacking due to a Chinese firm's intentional installation of a backdoor into the firmware at the production factory. To be exact there are seven potential backdoor hacks that can be performed on these cameras to exploit them. These cameras are sold generically as white label goods to other vendors to brand as their own. The model number of the white label camera is Wireless IP Camera (P2P) WIFICAM. The staggering list of models affected has exceeded 1,250! We have endured DDOS attacks from snack machines, and teddy bears spying on users. The IoT strikes again!

  • Backdoor account - Telnet runs by default, and everyone can log in with the following credentials. root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh
  • Pre-auth info and credentials leak - An attacker can bypass device authentication procedures by providing empty "loginuse" and "loginpas" parameters when accessing server configuration files. This allows the attacker to download device configuration files without logging in. The configuration files contain credentials for the device, and its FTP and SMTP accounts.
  • Pre-auth RCE as root - An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.
  • Streaming without authentication - An attacker can access the camera's built-in RTSP server on port 10554 and watch a live video stream without having to authenticate
  • Cloud - The camera provides a "Cloud" feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device's credentials. Kim says this Cloud protocol was found in multiple apps for multiple products, and at least 1,000,000 devices (not just cameras) seem to rely on it to bypass firewalls and access closed networks where devices are located, effectively defeating the protection those private networks provide.
 
Last edited:

bman212121

[H]ard|Gawd
Joined
Aug 18, 2011
Messages
1,815
I don't if I'd call that a "backdoor" account if it's just the default user/password for all cameras. Maybe they forgot to list it in the terrible little manual they probably put on a micro cd that everyone just threw away when they got their camera. The rest is just basic QC and security 101. It's quite obvious that the device wasn't designed with any security whatsoever, so it's up to the customer to recognize this and either buy products from a real vendor, or lock these devices down onto a private network since they are full of holes. Any halfway decent security installer should have checked to see if http / telnet / ssh was running before massively deploying these. But chances are good that the security installers who put these up came from the analog world where you just attach a bnc connector to the back of the camera and you're done.
 

westrock2000

[H]F Junkie
Joined
Jun 3, 2005
Messages
9,255
I boarded up all the windows in my house. I read a report that nearly all windows sold in America are susceptible to hammer attacks. Very disappointing. I try to warn as many people as possible now.
 

Dead Parrot

2[H]4U
Joined
Mar 4, 2013
Messages
2,831
Chinese Financial News Announcement: Camera Vendor [Unnamed] suddenly declared bankruptcy this morning. The owner's only comment was that "He is looking forward to the exciting new opportunities in the connected toy manufacturing business."
 

toast0

[H]ard|Gawd
Joined
Jan 26, 2010
Messages
1,148
yay, my janky camera isn't running telnet, so it's probably ok! (also i block packets from it from going to the internet)
 

Yaka

Gawd
Joined
Jan 26, 2004
Messages
613
where i work we have been asked if any cctv is being replaced/upgraded we gotta run it by the higher ups and get an ok first. i think the guys that deal with the hardware say theres a container full of hikvision stuff gathering dust as no one wants to ok it.
 

tikiman2012

[H]ard|Gawd
Joined
Dec 16, 2009
Messages
1,228
where i work we have been asked if any cctv is being replaced/upgraded we gotta run it by the higher ups and get an ok first. i think the guys that deal with the hardware say theres a container full of hikvision stuff gathering dust as no one wants to ok it.

Have them send them to me. I'll recycle the responsibly.
 

Schtask

Limp Gawd
Joined
Nov 29, 2011
Messages
436
I could show you some things on Shodan that would make your face melt. Like... Raiders of the Lost Ark face melt.
 

evilwon

Limp Gawd
Joined
Feb 11, 2008
Messages
169
Got to read more when I am not this tired. Is it that telnet is running and should be accessible or that it is only accessible through the managing website? I fired up one that I have sitting since I moved and I cannot connect to it via telnet. Then again, it is not running in any default mode either.

If anyone can comprehend more than my fat-i-gued brain can now, I'd appreciate the input.
 

Uvaman2

2[H]4U
Joined
Jan 4, 2016
Messages
3,143
Why they keep calling 'the attacker' and then make it sound as if things are just used as the software is designed?
Wouldn't a better term be, an 'unauthorized user'.
Only the last point they mention an actual use of an attack.
If these are cameras sold as 'white' label goods, those backdoors sound more like features meant to be customized/removed by the vendor.
Then again, if these were meant and kept secret from companies that buy and package these, then yeah, that is an issue
 

snowcrash

Gawd
Joined
Apr 30, 2011
Messages
712
I believe in strength in numbers. The chance of something bad happening with my camera is about the same chance of me winning the lotto.
 

Uvaman2

2[H]4U
Joined
Jan 4, 2016
Messages
3,143
Well, also soon we will be able to hack-back to China, so there!
Chinese officials are extremely worried about hacking, as they finish their quantum network
 

Milehigh

Limp Gawd
Joined
Jul 18, 2004
Messages
242
Well, great... I have 2 Foscams and a D-Link... I don't use any cloud service, but do use an Android app to monitor activity on my cell phone when I'm away. I also use Blue Iris for motion detection and recording, and am going to assume my cams are vulnerable based on the models listed. I'm not quite as advanced in networking as most users here, so my question. Can I still have my access to the cams on my cell without letting the world in? Are there router settings to allow my access, but not the vulnerability? I do have a new AC router with a ton of settings and would think there are options here to allow me to enjoy checking my house without others doing the same... advice?
 

S-F

Gawd
Joined
Aug 5, 2010
Messages
671
Well, great... I have 2 Foscams and a D-Link... I don't use any cloud service, but do use an Android app to monitor activity on my cell phone when I'm away. I also use Blue Iris for motion detection and recording, and am going to assume my cams are vulnerable based on the models listed. I'm not quite as advanced in networking as most users here, so my question. Can I still have my access to the cams on my cell without letting the world in? Are there router settings to allow my access, but not the vulnerability? I do have a new AC router with a ton of settings and would think there are options here to allow me to enjoy checking my house without others doing the same... advice?


Maybe make a post in the networking and security forum, but I'd start by only using BI to view your camera feeds.
 

wirerogue

Limp Gawd
Joined
Mar 2, 2012
Messages
405
i have 2 foscams that aren't on the list.

i'm not going to take any chances.

disabled p2p on the cameras.

pfsense created lan rule to block any protocol for the 2 camera ip addresses.

using the app on my phone was cool but, not totally necessary. i'll just stick to the local alarm recording.

i think that should do it.
 

Chupachup

Limp Gawd
Joined
Jan 12, 2014
Messages
435
The list shows the Logitech C920 I have installed. And while this device is configured on my computer, I don't run any of the software that came with it and the software I have used for remote monitoring has not been based off the GoAhead source. With the software I have tested and used over the years, I always make sure remote administration (if available) is disabled to keep access to the device as isolated as possible.

Depending on the cam, this appears to be an exploit only available by allowing the device to be accessed from outside the home either directly (web enabled) or by using compromised software as the conduit (web enabled/USB).

So, it seems it's not simply the hardware itself that makes this an issue for all makes/models. More how that hardware and any associated software is configured and used.

As always, buyer beware and be aware :eek:
 

Gigus Fire

2[H]4U
Joined
Oct 14, 2004
Messages
2,275
Lets see what's happening at home... oh wait nevermind.
Because people are too stupid to figure out how to create a vpn at home and connect to it remotely, then treat the camera as a local device?
People can't figure out how to set up remote desktop on a computer or vnc to a server at home to check out on a browser how the camera is doing?

There's lots of alternatives than directly sharing video on the internet that amounts to a webcam with an addon of a webpage that's built for the lowest price by some Chinese manufacturer.
 

C-rizzle

Gawd
Joined
Jun 16, 2009
Messages
783
So it looks like its only an issue if you're using the cloud services? (can someone confirm this)

I have multiple cameras on that list... foscams, zmodos, etc. that I've set up at work, home or family's houses. But hopefully since I manually set up everything with strong usernames & passwords, I'm relatively safe.
 
Top