Critical Flaws in Amcrest HDSeries Camera Allow Complete Takeover

amcrest camera cyberattack takeover

Time’s up on public disclosure of six serious bugs impacting the vendor’s IPM-721S model security camera.

Two critical severity bugs have been publicly disclosed that impact Amcrest HDSeries model IPM-721S cameras. Both vulnerabilities open the consumer-grade ($50) Wi-Fi cameras to complete takeover by remote, unauthenticated attackers.

Mandar Satam, senior security researcher at Synopsys, found the six security flaws in the IPM-721S camera back in 2017, and the disclosure process began. A spokesperson for Texas-based Amcrest said firmware updates that address the flaw have been available for months — users were alerted to the need to install a mandatory firmware update when logging into the their camera, according to Amcrest. Both researcher and vendor decided to wait until now for public disclosure in order to give users time to update.

The most serious of the bugs (CVE-2017-8229 and CVE2017-13719) have a Common Vulnerability Scoring System (CVSS) rating of 9.8 and 10. In the first case, an unauthenticated user can download admin credentials of the camera to take it over. The second bug, which received the highest CVSS score possible of 10, is an unauthenticated memory corruption bug.

“It’s sad to say, these are not terribly unique vulnerabilities and quite typical of what we see industry-wide,” Satam told Threatpost.

To exploit either bug, the researcher said an attacker would first use the search engine Shodan, a tool for finding exposed devices and databases online, to identify Amcrest model IPM-721S cameras. In the case of the credentials bug (CVE-2017-8229), an attacker would simply put the IP address of the camera in a common URL string to access a configuration file.

“The credentials are [then] downloaded… The admin user’s credentials are in clear text,” according to the description of the vulnerability.

Next, an attacker uses the credentials to log in as an administrative user.

To exploit the more serious memory-corruption bug (CVE2017-13719), Satam said an attacker would also first identify vulnerable cameras using Shodan. Next, they would send a specially crafted HTTP request to trigger a memory-corruption issue in the camera’s application programming interface (API).

“The device allows HTTP requests that allow to enable various functionalities of the camera by using HTTP APIs instead of the web management interface that is provided by the application,” the researcher wrote. “This HTTP API receives the credentials as base64-encoded in the authorization HTTP header. However, a missing length-check in the code, allows an attacker to send a string of 1,024 characters in the password field and allows an attacker to execute a memory-corruption issue.”

This can allow an attacker to circumvent the account-protection mechanism and execute code on the device, Satam said.

Other vulnerabilities include a default account bug resulting in a backdoor (CVE2017-8226) of the firmware interface. It is rated high-severity (SCVV 7.3). Another flaw (CVE-2017-8230), the researcher describes as allowing “low-privileged accounts [to] add an admin user,” and has a CVSS score of 8.8 – rated high-severity.

Additionally, CVE-2017-8227 is tied to an account lock-out failure that happens when an adversary brute-forces access of the web admin password via the ONVIF specification. That standard dictates how video-surveillance products can interoperate with other physical security products and services.

A 8.8-rated high-severity bug (CVE-2017-8228) meanwhile takes advantage of the fact the Amcrest cloud services does not perform a thorough verification when allowing a user to add a new camera to the user’s account, according to the researcher.

“This can allow an attacker who knows the serial number to easily add another user’s camera to an attacker’s cloud account and control it completely,” he said.

Mitigation of each of these vulnerabilities includes updating the Amcrest HDSeries model IPM-721S’s firmware.

Ransomware is on the rise: Don’t miss our free Threatpost webinar on the ransomware threat landscape, June 19 at 2 p.m. ET. Join Threatpost and a panel of experts as they discuss how to manage the risk associated with this unique attack type, with exclusive insights into new developments on the ransomware front and how to stay ahead of the attackers.

Suggested articles