IP Cameras Can Do Surveillance for Hackers, Too

With the proliferation of the Internet of Things and a lack of regulation governing its security level, vulnerable devices pose a risk to the entire home network. Even though they’re designed for security, many IP cameras come with flaws hackers can exploit for malicious activity against their owners. Two surveillance products, CXS 2200 from Loftek and C7837WIP from VStarcam, fall under this category, with researchers counting more than 20 security bugs during their tests.

The problems discovered in the firmware of the two cameras could let an attacker spy on the victim via sound and video, gain control of other devices on the network, or turn the product into a bot for distributed denial-of-service attacks. The warning comes from Checkmarx researchers, who evaluated the wireless IP cameras, which are highly appealing to consumers because of their low price.

One common vulnerability in IoTs is telnet communication – an insecure connection used in the past to access remote computers. Telnet connectivity is also enabled in the VStarcam C7837WIP, although it is undocumented. This was among the first issues uncovered and exploited by the researchers.

On Loftek CXS 2200, a cross-site request forgery (CSRF) vulnerability allows a hacker to send a variety of commands to the camera, including one to create users with administrator privileges. The tests have gone beyond this and shown it could be possible to add a user that was almost invisible in the camera’s interface, by naming it with the hexadecimal representation (“20%”) for a blank space and leaving the default password.

With VStarcam, security experts came up with a method to disable it until a manual reset occurred, which would also involve reconfiguration of the options. To achieve this, the experts resorted to the same trick of using the hexadecimal code for a username. “VStarcam has some JavaScript code forbidding the use of special characters; however, you may disable it using any browser inspector to add other characters,” explains the paper. Since these products are installed to monitor private property, it is easy to see why an attacker may want to stop the surveillance activity.

Checkmarx says the firmware powering Loftek and VStarcam products is also present in camera models from other manufacturers, a practice also exposed by Bitdefender in a recent study. Researchers estimate that the number of vulnerable cameras online exceeds 1 million.

Just as in the case of the NEO Coolcams research, Loftek and VStarcam did not respond to the vulnerability disclosure attempts, and firmware updates for their IP cameras are not available publicly – this makes it difficult for regular users to install a version with fewer security risks. Because the firmware runs on products from other vendors, it would be possible to apply it to Loftek and VStarcam devices, although it may not be fully compatible and may not support all the features.

Image credit: VStarcam

One comment

  • By Jari becker - Reply

    Great help and thanks for the advice, i will keep it in my mind

  • Add Comment

    Your email address will not be published. Required fields are marked *