Connected IP cameras are ubiquitous. Always connected and readily available from outside of the home, they are the go-to surveillance device. But their constant connection to their cloud means they can be found and hijacked, if vulnerable.
As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program and aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Neos SmartCam and is based on our research of the
18.104.22.168 firmware version.
Note: While research, reporting and patching took place in the last few months of 2020, we had to defer the publication of this report because these vulnerabilities were shared with other platforms and products at the time.
We’d like to thank the security team at Neos for their rapid acknowledgment of issues and rapid delivery of new firmware. Neos is running a bug bounty program, which greatly helped both parties establish a secure communication channel and coordinate further.
22.214.171.1241 which fixes both vulnerabilities
Authentication bypass with elevation to root
The Neos SmartCam uses the Kalay SDK to communicate with the cloud platform. The TUTK service running on the device normally expects the
0x2710 command during authentication. We have discovered that sending
ID 0x2712 and NULL content to the TUTK service instead would bypass authentication.
This lets us access undocumented functionality (such as enabling the telnet service) and authenticate as root. Our proof-of-concept code would bypass authentication and then send another command (
ID 0x2780 ) to enable the Telnet service.
Impact: By bypassing authentication, we can access undocumented features, allowing us to gain root privileges on the device by enabling Telnet and using the root:ismart12 credentials. The bypass can be exploited from LAN or remotely, as long as the attacker knows the device UID.
Buffer overflow with remote code execution
The same TUTK component is also vulnerable to a buffer overflow attack. The handler for the TUTK command with
ID 0x2776 does not validate the received buffer length. This allows us to overwrite the return address and obtain code execution. Paired with the TUTK authentication bypass described earlier, it lets an attacker exploit any camera remotely, knowing only the device UID.
Our PoC bypasses authentication and then sends the command with
ID 0x2776 to exploit the vulnerability and execute the specified command. As the iCamera executable crashes, the watchdog will restart the camera, but we can achieve persistence by modifying the startup script.
Impact: By exploiting this vulnerability, we can run commands as root on the SmartCam device. The functionality can be accessed remotely, provided the attacker knows the device UID.
Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices.
Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.
To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.