IoT home security camera allows hackers to listen in over HTTP

Unauthenticated, remote snooping is possible over the Internet.
Written by Charlie Osborne, Contributing Writer

Security researchers have uncovered a security flaw in a popular home security camera which permits remote spying without any form of authentication. 

This week, researchers from cybersecurity firm Tenable said the Amcrest IP2M-841B IP camera, available on Amazon and subject to 12,000 customer reviews -- many of which are positive -- contained a serious bug which is "trivial" to exploit. 

The Amcrest camera is advertised as a full-HD 1080p camera capable of low-light footage capture. The developers of the device say that the camera can be used via smartphone and a PC, and footage can also be sent to the cloud via subscription. 

Within the camera's description, Amcrest says that a number of security features have been implemented, including "SSL/HTTPS connection, wireless AES/WPA2 encryption, [a] FCC and UL camera certificate, and regular security firmware updates."

However, in a Medium blog post, researchers say a glaring issue has been missed -- the possibility of eavesdropping on a user's audio streams. 

The vulnerability, now assigned as CVE-2019–3948, was found after an examination of the device's firmware. 

See also: Google researchers disclose vulnerabilities for 'interactionless' iOS attacks

Tenable's Jacob Baines said that he was able to remotely listen to the camera's audio feed over HTTP without any form of authentication. 

"The Amcrest IP2M-841B IP camera firmware version V2.520.AC00.18.R does not require authentication to access the HTTP endpoint /videotalk," the vulnerability's description reads. "An unauthenticated, remote person can connect to this endpoint and listen to the audio the camera is capturing."

To exploit the bug, it only takes an attacker to point their browser or a tool such as VLC to the endpoint, and a simple script can be used to extract audio footage. 

TechRepublic: How to protect your corporate bank account after the Capital One breach: 10 tips

If connected to the Internet, the researcher says, the camera essentially becomes "anyone's listening device."

The camera, a rebranded Dahua device, was also susceptible to CVE-2017-7927, an authentication bypass issue. 

CNET: Fake tech-support scams on Twitter could cost you, study warns

Tenable reached out with its findings in May. Amcrest acknowledged the existence of both vulnerabilities and developed a suitable patch. The public disclosure was pushed back until 29 July, and a firmware update was made available on the same day. 

Amcrest has not responded to requests for comment at the time of publication.

These are the worst hacks, cyberattacks, and data breaches of 2019 (so far)

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards