175,000 IoT cameras can be remotely hacked thanks to flaw, says security researcher

Over 100,000 internet-connected security cameras contain a "massive" security vulnerability that allows them to be accessed via the open web and used for surveillance, roped into a malicious botnet, or even exploited to hijack other devices on the same network.

Representing yet more Internet of Things devices that are exposed to cyberattackers, vulnerabilities have been uncovered in two cameras in Chinese manufacturer Shenzhen Neo Electronics' NeoCoolCam range.

Researchers at Bitdefender say the loopholes mean it's trivial for outsiders to remotely attack the devices and that 175,000 of the devices are connected to the internet and vulnerable. Between 100,000 and 140,000 are detectable via the Shodan IoT device search engine alone.

The easy online availability and low cost -- some models are available for under £30 ($39) -- of Shenzhen products means the NeoCoolCam devices have spread around the world; the products are in no way just limited to China.

"This proof of concept attack confirms once again that most Internet of Things devices are trivial to exploit because of improper quality assurance at the firmware level. Paired with the fact that the bug affects the authentication mechanism and the massive pool of affected devices, we can only imagine the impact a harvested botnet of devices might have," Bitdefender's research paper said.

The two cameras studied, the iDoorbell model and NIP-22 model, contain several buffer overflow vulnerabilities, some even before the authentication process. The flaws can be used for remote execution on the device -- the attacker doesn't even need to be logged in, even just the attempt at a login can provide access.

"By manipulating the login and password fields of the form, the attacker can inject commands and trick the camera into executing code as it attempts to perform the authentication," Bogdan Botezatu, senior e-threat analyst at Bitdefender, told ZDNet.

"This is a massive vulnerability because it does not allow the user to be logged in; on the contrary, the camera is compromised when a login validation is attempted."

The vulnerabilities could act as a gateway to the rest of the network and the compromise of other devices on it, the researchers said. "Since this attack can execute code on the respective devices, a hacker can use the cameras to pivot inside the internal network," said Botezatu.

Both types of camera were subjected two types of attack: one which affects the web server on the cameras themselves and another which affects the Real Time Streaming Protocol Server.

The camera web server exploit stems from a vulnerability in the HTTP service triggered by the way the application processes the username and password information at login.

Exploiting a weakness they discovered, the researchers were able to overflow the system function and specify commands to be executed, such as monitoring activity on the hacked camera and even overwriting the password, a move which would put the camera in the hands of the hacker for malicious purposes including espionage.

Researchers discovered second vulnerability in the camera's Rapid Spanning Tree Protocol (RSTP) server, with an exploit around authorization which would allow them to gain access to the device.

Bitdefender notes that the two exploits are "almost identical" on both camera models. NeoCool Cam was contacted in May, but Bitdefender says the company hasn't responded. ZDNet has attempted to contact Shenzhen Neo Electronics but hasn't received a reply at the time of publication.

READ MORE ON CYBERCRIME

• Securing the IoT: A question of checks and balances
• How to secure your IoT devices from botnets and other threats [TechRepublic]
• How IoT hackers turned a university's network against itself
• Software bug makes Nest Cams vulnerable to hacks [CNET]
• The IoT security doomsday is lurking, but we cannot talk about it properly