Nearly 200,000 Wi-Fi Cameras Are Open To Hacking

An anonymous reader quotes a report from BleepingComputer: What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking. The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors. Security researcher Pierre Kim says the firmware produced by this Chinese vendor comes with several flaws, which have all made their way down the line into the products of other companies that bought the white-label (unbranded) camera. In total, nearly 1,250 camera models based on the original camera are affected. At the heart of many of these issues is the GoAhead web server, which allows camera owners to manage their device via a web-based dashboard. According to Kim, the cameras are affected by a total of seven security flaws. Yesterday, Kim said that around 185,000 vulnerable cameras could be easily identified via Shodan. Today, the same query yields 198,500 vulnerable cameras. Proof-of-concept exploit code for each of the seven flaws is available on Kim's blog, along with a list of all the 1,250+ vulnerable camera models.

Re:

[WarJolt]

Nope. This is a call to some random /. reader willing to turn the cameras into a botnet. This a a pre-story and will be followed up by the results. I can't wait.

Re:

[dbIII]

That is likely to look a lot like this anime from 2002 about teenagers making use of a badly secured Internet of Things.
https://myanimelist.net/anime/611/Platonic_Chain

Re:

[fisted]

No.

Then again

[Ol Olsoc]

What isn't?

It's just that these cameras, like the ovwewhelming majority of the Internet of Things, is 100 percent insecure. Real hackers probably are insulted by the insinuation that you actually have to hack anything.

And y'all better get used to it folks. THe manufacturers are pushing this, and the consumers are buying this, and it's not going away.

Re:

[rhazz]

How exactly do these wifi cameras get exposed to public hacking? Are these cameras that you configure to use your own wifi network, and that automatically makes them visible outside your network?

I have two wifi baby monitors in my home, but they both generate their own wifi signal are not on my home network. I am comfortable with the risk that someone could theoretically walk up to my house, hack the (random) factory password, and watch the baby in its crib. Is there some magic I don't know about that con

Re:

[Ol Olsoc]

How exactly do these wifi cameras get exposed to public hacking? Are these cameras that you configure to use your own wifi network, and that automatically makes them visible outside your network? I have two wifi baby monitors in my home, but they both generate their own wifi signal are not on my home network. I am comfortable with the risk that someone could theoretically walk up to my house, hack the (random) factory password, and watch the baby in its crib. Is there some magic I don't know about that connects them to the internet?

https://krebsonsecurity.com/20... [krebsonsecurity.com] If your cams never attach to the internet, it's cool, but most cameras these days are IP, and they are the STD's of the web.

Hacking?

[BeemanIT]

I doubt it's really hacking but rather people not understanding how/why they need to change the default admin username and password. Many of the recent major hacks have been due to default admin password not being changed.

What to do

[AHuxley]

Download some AV like Avast.
Run the Home network security
https://www.avast.com/f-home-n... [avast.com]
If you need your CCTV network sending out images use cell networks to send the alert images.

Re:

[Highdude702]

Lol you think AV can't be bypassed? There are tools made specifically to beat even the best AV.

Re:

[AHuxley]

The idea is to get the user onto a cell network for their CCTV.
The first step is to understand that the internet is not secure.
The user has to work out that more secure options exist.

Re:

[Highdude702]

The cell networks are still essentially linked to the Internet, without a firewall(I used to install GSM units in security panels, they are then accessed by ip) so that's actually a worse situation if the device itself has a vulnerability like these do.

Consumer router options

[gerf]

So when will we be able to have consumer grade routers that keep selected crwp devices on a separate network and generally restricted access? Is this possible with Tomato or an OSS firmware, either manually or automagically? To me I see this as the next step to informing and training consumers on networking, the first being adding passwords to their wireless networks.

Re:

[AHuxley]

Malware has a list of all the common default usernames passwords like admin and password.
Beyond that is the unprotected IoT waiting to be networked.
A router company would have to print a random code per product sold if it wanted out of the box security.
Users would never find the unique code on the paperwork deep in the box and return the product a faulty.

Re:

[iamgnat]

A router company would have to print a random code per product sold if it wanted out of the box security.

Why on earth would they need to do that? The simple answer is that at initial set up the only thing that should be enabled is the setup service and it should not proceed until they set up their own user and password info. Bonus points if they apply real password requirements and block common user names (user, admin, etc..).

There is nothing complicated here, it's just laziness on the part of the manufacturer.

Re:

[mrchaotica]

A router company would have to print a random code per product sold if it wanted out of the box security. Users would never find the unique code on the paperwork deep in the box and return the product a faulty.

The unique code should be printed on a sticker affixed to the base of the device. This shouldn't be hard, since it's already done for the MAC address and serial number.

Re:

[Anonymous Coward]

configure static ip
set default route to the same ip
set dns server to the same ip

problem solved. no off-net access.

Re:

[Anonymous Coward]

Most modern Asus routers come w/OpenVPN Server built in and wrapped up in a very slick and easy to use GUI; its actually easier to setup than port forwarding if you watch a youtube video.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Zocalo]

This, other than UPnP which is seriously broken for many devices. Except for the real entry level ones, most modern consumer routers will let you setup multiple networks and firewall them from each other right out of the box; you don't even need some third party option like Tomato or OpenWRT. The problem is that the UIs to do so are generally extremely clunky and poorly documented - and that's before you even start getting around to figuring out how to secure access to those IoT devices that you might act

Re:

[mrchaotica]

how to secure access to those IoT devices that you might actually want to be able to access from the Internet (hint: VPN)

Better hint: have them talk only to a local server / controller / DVR with decent security, and access that from the Internet.

Re:

[queBurro]

most routers have an option of a guest access point. your pc and your IoT are then on different vlans. This would be a start.

isn't that the idea?

[turkeydance]

backdoors for everything and everyone. the better to see you with, my dear.

what if it is done on purpose?

[kiviQr]

Russians sold cheap USB sticks next to US military base in Kabul in hope that they will use them within internal network - they succeed (http://www.businessinsider.com/russia-planted-bugged-thumb-drives-to-break-into-us-govt-computers-2017-3). What if these wi-fi cameras are on purpose subsidized by government and indeed have back doors?

First link is clickbait. Read the last one

[Anonymous Coward]

The first link, as it is the norm with the so-called Slashdot nowadays, is clickbait blogspam. The real story is linked last.

Read it. It's super lulz-worthy. Basically this is as bad as you can get.

This is not just default-password mindless hack. The funny thing is this

But it appears access to .ini [system config blob] files are not correctly checked. The attacker can bypass the authentication by providing an empty loginuse and an empty loginpas in the URI... This vulnerability allows an attacker to steal credentials, ftp accounts and smtp accounts (email).

So no matter whatever password there is, you can simply read it off the server without auth. After reading the credentials in plaintext, you can exploit another hole in the FTP config (why the fuck they put FTP there) program and execute

My cameras need no security

[mea2214]

They are on a separate network and none can be accessed from outside that network. They ftp alarms to an ftp server which then does whatever is needed with those files. I would prefer a camera that only needs a username and password to get to the config panels. Nobody can get to my cameras unless they have physical access to the network. Security for IoT does not have to/nor can it be done at the device level.

Re:

[Anonymous Coward]

All my cameras are on the list, and were orphaned by their vendors before I bought them ($20 each on clearance at Australian K-Mart stores, specifically because they were orphaned and some features didn't work as described). I don't have them on a separate network, but I set an invalid gateway address on them so they can't communicate with the outside world. All they need to communicate with is my ZoneMinder instance - if I want to view them remotely, I'll VPN into my home network.

Have them DDoS their makers!

[Gravis Zero]

Behavior is defined by feedback loops and currently there is no feedback from selling insecure crap to idiots. The obvious solution is to create a feedback loop by having each insecure device pound away at the websites of the people that made them.

Intelligently designed Interet of Things

[Opportunist]

(in short IDIOT)

Describes the user better than the product.

Huh?

[SCVonSteroids]

These are probably all compromised already. Why is this being posted?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Zocalo]

Is that all? I would consider that terrible news. That means that several millions are yet to be exploited.

FTFY.

This is not the "real" problem...

[squash_me_quickly]

the real problem is the millions of Wi-Fi cameras, routers, etc. in which the users have turned the security features off.

Many people have about 2 minutes the patience to get their gadgets to work with the security features on. Then they will happily use hours finding out how to turn the security features off.