Trivial Bug Turns Home Security Cameras Into Listening Posts

airbnb security camera hidden

Anyone can listen to the camera’s audio over the internet.

A vulnerability in the consumer-grade Amcrest IP2M-841B IP home security video camera would allow an attacker to remotely listen to the camera’s audio over the internet, without authentication.

“Essentially, if this thing is connected directly to the internet, it’s anyone’s listening device,” explained Jacob Baines, researcher with Tenable Security, in a posting on the flaw this week.

The bug (CVE-2019–3948) exists in the firmware of the device, which is based on OEM code from another vendor, Dahua (a Chinese company that the U.S. is considering blacklisting over espionage concerns). Tenable found that, like many Wi-Fi-enabled Dahua devices, the IP2M-841B has a service listening on TCP port 37777.

“Previously, another researcher had discovered a remote attacker can login to this interface using a captured hash (CVE-2017-7927),” Baines said. “Dahua appeared to fix this at the time. However, Tenable discovered the Amcrest IP2M-841B was still vulnerable to this attack if the user’s password was only 8 characters long.”

Amcrest IP2M-841B IP home security video camera

From Amazon’s ad for the device.

A proof-of-concept script logs in a remote attacker using “admin” and “01testit” hashes to make authenticated request.

There’s also a second bug: the camera exposes a file called “/videotalk” within the component HTTP Endpoint. The researcher said that connecting to the audio stream is trivial: “Any remote unauthenticated attacker that can decode the DHAV [audio-output] format can make a single HTTP request and listen to the camera’s audio.”

“Simply point your browser or a tool like VLC [a free media player] at the videotalk endpoint,” Baines said. In the latter case, “VLC just doesn’t understand the ‘DHAV’ container that the camera has wrapped the audio in. Fortunately, it was pretty easy to write a script that connects to the endpoint and extracts the audio so that it can be played by ffplay [an open-source media player].”

The IP2M-841B should be upgraded to V2.420.AC00.18.R or later to address the issues. But Baines added that other cameras that white-label the same Dahua camera may also be vulnerable.

“Amcrest is one of many companies that rebrand Dahua products,” Baines noted. “But because each company seems to keep their devices at different patch levels or include different features, it remains unclear how many vendors are vulnerable to this particular issue..since Dahua was included in our disclosure timeline we assume patches exist or are forthcoming.”

Interested in more on patch management? Don’t miss our free Threatpost webinar, “Streamlining Patch Management,” now available on-demand. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Click here to listen (registration required).

 

Suggested articles

Discussion

  • Anonymous on

    DasHua is not the name, it's intermixed in the article.
  • Chris k on

    How does someone on the internet get access to the camera's port in the usual scenario where the LAN uses a router and gateway?
    • Tara Seals on

      Thanks Chris -- I'll ask the researcher.
    • Tara Seals on

      Jacob Baines shared this response from Tenable: "The device supports UPnP. It specifically supports UPnP to open a hole in your gateways firewall in order to access the device from the internet."
  • wireless burglar alarm on

    I read your article and is found really interesting and useful. I consider you to choose wireless burglar alarm to protect your home and family from burglaries. It easy to install and cost effective. It fills all of your security needs.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.