Apr 17,2019 | Posted by Rotem Kama and Dojo Cyber Security team
Security IP cameras, products that are supposed to provide safety and privacy to their customers, can be the ones that will do just the opposite and may put users in a major security risk by exposing a lot of information. Over the years there have been a decent number of researches on IP cameras of several vendors, some of them being fixed and some not. However, new vendors of cameras just spring up like mushrooms, and may give the false impression that the product is safe to use because it doesn’t have known vulnerabilities.
As we shall see today, making that assumption would be terribly wrong! In our research we will display our findings about security issues that affect countless camera previously thought to be secure! Those “branded” cameras include LOOSAFE, LEVCOECAM, SYWSTODA, BESDER, WUSONGLUSAN, GADINAN, UNITOPTEK, ESCAM and the list goes on!
The risks covered below affect a multitude of products because they arise from a common firmware package for the hi3510 chip, produced by HiSilicon. Under the hood, all those cameras have the same faulty management and access software layer. Most of them even use the same mobile application to manage the camera! This mobile application, CamHi, has more than one million downloads on google play store! There are other applications, like keye, that have a lower download count, but act the same as the CamHi app. So, an easy way to check if your IP Camera is also vulnerable to those issues is to check if they are accessed by one of those applications. If so, you may be at risk!
In this research we will be focusing on two issues that were found:
The first one is the ability to view the stream remotely with essentially backdoor credentials! This issue has been fixed by the firmware provider, so it is important to check manually if there are new updates available from your mobile application and apply them! (under the settings screen you have a button to perform this check: Settings -> system setting -> check for updates button).
It turns out that the cameras ship with two default accounts the user is not aware of on his mobile application and as such cannot disable them (CVE 2019-10711). Those users are “guest” and “user” with very predictable default passwords. With those accounts it is possible to access the RTSP (Real Time Streaming Protocol) service of the camera from inside the camera’s LAN, or even remotely if the camera exposes this service to the WAN using UPnP or manual port forwarding! The attacker can connect to the stream and the user of the camera will not be made aware of this connection. This issue was uncovered by William McCann who mentioned it on his great blog post from 2017!
Here is a link to it.
|Vulnerable RTSP address and captured stream|
The second issue relates to sensitive information leakage from the camera using default credentials that could expose the home Wi-Fi network name and password (CVE 2019-10710). A lot of unaware users do not change their camera’s default credentials as the camera does not enforce them to do so. This is causing a major security breach by itself due to the high volume of available devices that uses those default credentials (those credentials are also shared by all camera brands). Using those credentials, an attacker can send a request to a specific entry of the camera web interface, and as a response he will receive the Wi-Fi name and password of the network that the camera is connected to in plaintext. The attacker may also tell the camera to scan its environment for new Wi-Fi networks and which will return all those scanned network names.
|Exposed WiFi credentials from vulnerable device|
Some readers may be asking - “Alright, my Wi-Fi name and password can be exposed form the internet, so what?”. We would like to present the risks of this so-called irrelevant data about your private network.
Using free online IP to Location services, we may use the attacked public IP address order to get a location fix of this IP address. Depending on the ISP and country, it may provide the city name. Now we can search the SSID name extracted from the discussed vulnerability in the Wigle search engine, that will return a list of all possible coordinates with the same SSID! Depending on the uniqueness of the network SSID we may pinpoint the target house within a ten-meter radius.
|IP2Location response for public IP address|
|Wigle result for query of SSID|
Another useful piece of information is of course the Wi-Fi password! Researches show that more than half of the population reuse passwords across different services! After stealing the target’s password, the attacker may then be able to login to other services on his behalf and steal private information! More interestingly, as part of our research we have noticed a concerning phenomenon regarding the default (or sometimes user defined) password of the Wi-Fi provided by some service providers. In several countries, more than 60% of the Wi-Fi passwords were phone numbers of the networks’ owners! So, attackers can easily extract not only the exact location of the user, but also his phone number. OSINT tools like the TrueCaller API are likely to uncover the victim’s name! From there, much more personal information may be harvested from social media accounts, for example. This highly automatized operation lays a substantial framework for all types of social engineering scams.
|TrueCaller API search|
|Result of query by name from Pipl|
The number of devices impacted is extremely troubling. We have been using the Shodan engine with a special search query that returns a list of cameras suspected to be vulnerable that can be accessed remotely from the internet. Currently this list contains over 200,000 devices! This list can grow over time as more IP cameras are misconfigured to expose their services to the internet unnecessarily. With this query we can also specify only certain country to look for and even only a certain city or service provider.
|Shodan result for possibly vulnerable devices|
After gathering the potentially faulty devices, we ran a custom script that checks if indeed they are vulnerable (we will not release the source code of this tool due to a major concern of user’s privacy, and the ability of the providers and users to fix those issues in a short time). We repeated this process for several selected countries to gain insight on geographic impact.
|Country||Exposed RTSP %||Exposed Wi-Fi %|
As we can see there are clear differences between configuration habits in different countries.
The quickest and most effective response is checking for software update from the application as mentioned before and changing the default password to a new (not reused!) complex password. Making the password more complex and longer makes it exponentially harder to crack it. Changing the password is done via the application by going into Settings -> Change password -> apply the new password that you picked.
This password only applies to the admin user of the camera, and if there is no software update available to your camera, it is highly recommended to check if those two default accounts that are not present in the application exist in the camera. This can be verified from the camera’s web management portal. Go into your web browser and get to the camera portal by inserting its IP address (it is displayed in settings -> Device information -> IP Address). In the portal, press the PC view button -> go to settings tab - > Advanced -> User. This displays a list of all the users in the camera. If the “user” and “guest” users appear on the list, it is important to change their passwords. Unfortunately, users cannot be disabled.
Another possible solution is a product that will help protect all your network devices, and not only the camera. Our network security solution, “Dojo by Bullguard”, is just the right choice to help protect your network from all possible threats. With the Dojo you can easily set access policies and receive notifications on unknown connections to any of your devices, securing a home that is evidently wide open to attacks.
Thanks for reading and stay safe! Rotem Kama and Dojo’s cyber security team.