NEO Coolcams Are Not Too Cool, They Buffer Overflow

The code humming inside the shiny cases of most IoT devices does not pass through proper quality assurance testing and has been found numerous times to be unsafe from a security standpoint. This has been confirmed recently by Bitdefender researchers at the Defcon hacker conference in Las Vegas.

Alex Balan, Chief Security Researcher and Spokesperson for Bitdefender, exposed vulnerabilities in the iDoorbell and NIP-22 internet-connected cameras from Chinese manufacturer Shenzen Neo Electronics. One of the flaws is the presence of backdoor accounts that allow watching the camera’s live stream by logging in with easy-to-guess credentials. Balan said that an attacker that found these camera models online could input “guest” or “user” for both username and password to access the video stream.

Another security bug discovered by Bitdefender is a buffer overflow in the web server of the camera, which requires only four lines of code to exploit. The same glitch has been found in the RTSP (Real Time Streaming Protocol) server. A research paper is available from Bitdefender, detailing the steps leading to remote code execution and potential hijacking of the camera.

Taking advantage of these flaws requires some effort from the attacker, but it would not be difficult to find the weak spot, and the reward at the end would be well worth the work. At the time of writing, a cursory search on Shodan, a search engine for internet-connected things, reveals more than 120,000 devices that are potentially vulnerable to the exploits presented by Balan at Defcon.

The gadgets are available online because they use the UPnP (Universal Plug and Play) protocol to make their ports accessible over the Internet by setting up rules automatically on the router or modem. The device tells the local router to open a communication path with the outside network, and the Internet gateway obliges. Many routers, including those provided by Internet Service Providers, are delivered with the UPnP service enabled.

Balan says that the firmware in iDoorbell and NIP-22 is powering smart things from other companies, which means that other products could suffer from the same vulnerabilities. Right now, a revised version of the code is impossible to reach the affected devices because there is no update mechanism in place, the researcher says. As such, all cameras running the firmware analyzed by Bitdefender are at risk of being hijacked.

Balan predicts that in the future botnets will no longer rely on armies of IoT devices secured with default or weak credentials, but on gadgets exploitable at the application level, through buffer overflows or command injection. Spotting such problems would require the maker to dedicate more resources for security tests before sending the code to production.

Bitdefender tried to establish contact with Neo Electronics to report the vulnerabilities in the two devices, but the manufacturer did not return an answer.

Image credit:  Shenzhen Neo Electronics