Oops! 185,000-plus Wi-Fi cameras on the web with insecure admin panels
Get ready for the next camera-botnet: a Chinese generic wireless webcam sold under more than 1,200 brands from 354 vendors has a buggy and exploitable embedded web server.
According to this advisory by Pierre Kim at Full Disclosure, the problems are in the camera’s GoAhead administrator’s interface and in a weak cloud connection protocol.
Kim posts a Shodan link that lists around 185,000 vulnerable Wi-Fi-connected cameras exposed to the internet, ready and waiting to be hijacked. The cameras’ CGI script for configuring FTP has a remote code execution hole known since 2015, Kim writes, and this can be used to run commands as root or start a password-less Telnet server.
There’s a folder in the file system, /system/www/pem/ck.pem, that includes an Apple developer certificate with a private RSA key, and credentials for the Web server leak to an unauthenticated attacker via the system.ini and system-b.ini symbolic links.
There’s an unauthenticated real-time streaming protocol (RTSP) server, so if you can see the camera’s TCP port 10554, you can watch what it streams.
The camera’s cloud capability is on by default, with pre-configured connections to AWS, Alibaba and Baidu. All an attacker needs is a suitable smartphone application (Kim tried P2PWificam and Netcam360), and the serial number of the target.
“If the camera is online, a UDP tunnel is automatically established between the application and the camera, using the cloud server as a relay,” he writes.
That UDP tunnel is an attack vector, which Kim demonstrates by retrieving configuration in plain text, and: “the tunnel bypasses NAT and firewall, allowing the attacker to reach internal cameras (if they are connected to the Internet) and to bruteforce credentials.”
Kim notes that such easily attacked cameras could effortlessly be recruited into a botnet.
Kim’s post at GitHub includes proof-of-concept code and the sensible advice that cameras should not connect to the Internet.
The vulnerabilities clearly go back a long way, since 3Com’s name is in the list. Other big names include D-Link, Akai, Axis, Kogan, Logitech, Mediatech, Panasonic, Polaroid, and Secam.
Australian readers might want to check out cameras bought from Jaycar, particularly under the QC-38nn model range. ®
Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/03/09/185000_wifi_cameras_naked_on_net/