2 min read

NEO Coolcams Are Not Too Cool, They Buffer Overflow

Ionut ILASCU

August 02, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
NEO Coolcams Are Not Too Cool, They Buffer Overflow

The code humming inside the shiny cases of most IoT devices does not pass through proper quality assurance testing and has been found numerous times to be unsafe from a security standpoint. This has been confirmed recently by Bitdefender researchers at the Defcon hacker conference in Las Vegas.

Alex Balan, Chief Security Researcher and Spokesperson for Bitdefender, exposed vulnerabilities in the iDoorbell and NIP-22 internet-connected cameras from Chinese manufacturer Shenzen Neo Electronics. One of the flaws is the presence of backdoor accounts that allow watching the camera’s live stream by logging in with easy-to-guess credentials. Balan said that an attacker that found these camera models online could input “guest” or “user” for both username and password to access the video stream.

Another security bug discovered by Bitdefender is a buffer overflow in the web server of the camera, which requires only four lines of code to exploit. The same glitch has been found in the RTSP (Real Time Streaming Protocol) server. A research paper is available from Bitdefender, detailing the steps leading to remote code execution and potential hijacking of the camera.

Taking advantage of these flaws requires some effort from the attacker, but it would not be difficult to find the weak spot, and the reward at the end would be well worth the work. At the time of writing, a cursory search on Shodan, a search engine for internet-connected things, reveals more than 120,000 devices that are potentially vulnerable to the exploits presented by Balan at Defcon.

The gadgets are available online because they use the UPnP (Universal Plug and Play) protocol to make their ports accessible over the Internet by setting up rules automatically on the router or modem. The device tells the local router to open a communication path with the outside network, and the Internet gateway obliges. Many routers, including those provided by Internet Service Providers, are delivered with the UPnP service enabled.

Balan says that the firmware in iDoorbell and NIP-22 is powering smart things from other companies, which means that other products could suffer from the same vulnerabilities. Right now, a revised version of the code is impossible to reach the affected devices because there is no update mechanism in place, the researcher says. As such, all cameras running the firmware analyzed by Bitdefender are at risk of being hijacked.

Balan predicts that in the future botnets will no longer rely on armies of IoT devices secured with default or weak credentials, but on gadgets exploitable at the application level, through buffer overflows or command injection. Spotting such problems would require the maker to dedicate more resources for security tests before sending the code to production.

Bitdefender tried to establish contact with Neo Electronics to report the vulnerabilities in the two devices, but the manufacturer did not return an answer.

Image credit:  Shenzhen Neo Electronics

tags


Author



Right now

Top posts

Ultimate Privacy Guide for Your Facebook Account

Ultimate Privacy Guide for Your Facebook Account

August 31, 2021

6 min read
7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

7 Signs It’s Time to Use Parental Controls On Your Family’s Devices

August 27, 2021

2 min read
Your Netflix Account May Be on Sale on Darkweb. Protect It

Your Netflix Account May Be on Sale on Darkweb. Protect It

August 13, 2021

3 min read
E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

E-mails claiming your computer was hacked and your privacy exposed - what you need to know (spoiler: you can relax - they’re bluffing)

July 29, 2021

5 min read
Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Man who "scraped and sold 178 million users' data" is sued by Facebook Man who "scraped and sold 178 million users' data" is sued by Facebook
Graham CLULEY

October 26, 2021

2 min read
Microsoft Teams Rolls Out End-to-End Encryption Microsoft Teams Rolls Out End-to-End Encryption
Silviu STAHIE

October 25, 2021

1 min read
Stay Updated to Keep Ahead of Cyber Threats – Updating Chameleon Explains Stay Updated to Keep Ahead of Cyber Threats – Updating Chameleon Explains
Filip TRUȚĂ

October 25, 2021

2 min read