Two consumer-grade IP-enabled security cameras manufactured by Loftek and VStartcam are riddled with nearly two dozen vulnerabilities that expose them to remote attacks. According to researchers, more than 1.3 million of the cameras are in use today, with 200,000 models located in the United States.
Based on a report released Tuesday by Checkmarx, the Loftek DSS-2200 and VStarcam C7837WIP allow a malicious user to easily exploit the devices. Not only can adversaries enlist them into DDoS botnets, but they can also gain control of additional devices that share the same network.
Checkmarx said problems identified in Loftek and VStartcam cameras are systemic of problems that face other insecure IP-based cameras. Its research serves as a cautionary example of the pervasive problems tied to insecure cameras that create the fertile ground for hackers and destructive IoT malware such as Mirai.
Researchers said red flags popped up immediately when testing the Loftek and VStartcam cameras, both manufactured in China.
“As our initial scans came to an end, we reached the conclusion that if your (Loftek and VStarcam) camera is connected, you’re definitely at risk. It’s as simple as that,” Checkmarx researchers wrote.
Obvious vulnerabilities included hardcoded credentials, an inability to update the firmware, lack of support for HTTPS and an undocumented Telnet port in the VStartcam camera.
Lack of HTTPS support is bad enough, said Amit Ashbel, cyber-security evangelist at Checkmarx. He said that vulnerability alone allowed an attacker to send a clear text GET request to the camera containing a variety of different commands to gain a foothold on the device.
“Among (the GET requests) is the ability to create new users. As admin, passwords do not need to be changed, the chance is likely that the default password may work,” he said. That allows the attacker to create a second user with admin privileges while maintaining the original admin password and username, avoiding any suspicions.
Both cameras were also vulnerable to a raft of problems including cross-site request forgery vulnerabilities, stored cross-site scripting flaws, server-side request forgery and HTTP response splitting bugs. In total, 21 exploits were tested and confirmed.
The biggest contributor to the insecurities, according to researchers, were two types of software used in either device called Netwave and GoAhead, both made in China.
“We tried to reach out to both camera manufacturers as part of an attempt at coordinating the disclosure. No one got back to us,” Ashbel said.
He said a wide range of Chinese camera manufacturers use very similar hardware and software in their cameras. “We noticed that many wireless IP cameras on the market, especially the cheaper ones available for purchase on popular sites run the Netwave and GoAhead firmware,” researchers note.
Despite 1.3 million devices being still in use, both cameras are no longer sold. However, in further scans of the internet using the Shodan search engine, additional camera models were found that also used the same vulnerable firmware that included; Foscam, Advance, Wanscan, Apexis, Visioncam, Eshine and EyeSight.
“There may be a scenario where an attacker could use either of the cameras’ settings to send spam emails or flood the victim’s inbox. With a simple script, an attacker could launch such an attack with little-to-no effort,” the report stated.
“The cameras are vulnerable by default, and—especially the Loftek 2200—which could be used as a backdoor to your network. It is clearly worth spending a bit more money on a more secure camera,” Ashbel said.