Vulnerabilities in these IoT cameras could give attackers full control, warn researchers

Researchers at VDOO discover vulnerabilities which, if left unpatched, could allow attackers to take control of the devices or rope cameras into botnets.
Written by Danny Palmer, Senior Writer

Vulnerabilities in almost 400 models of internet connected video camera by one manufacturer could allow attackers to take remote control of devices for use as a surveillance tool with the ability to snoop on any audio or video it recorded.

By exploiting vulnerabilities in the internet-connected cameras from Axis Communications, researchers at security firm VDOO found that remote attackers could take over devices using just the IP address and without previous access to the camera or its login credentials.

The vulnerabilities have been disclosed to Axis, which has updated the firmware of all the affected products in order to protect users from falling victim to an attack. In a blog post, VDOO states that "to the best of our knowledge, these vulnerabilities were not exploited in the field".

In total seven vulnerabilities in the cameras were discovered and researchers have detailed how three of them could be chained together in order to provide remote access to the cameras and execute remote shell commands with root privileges.

See also: Everything you need to know about the Internet of Things right now

These include providing access to the camera's video stream, the ability to control where the camera is looking and to control motion detection and the ability to listen to audio. There's also the potential for cameras exploited in this way to be used as an entry point in the network for a wider attack, as well as the possibility of the camera being roped into a malicious botnet.

"The reason that vulnerabilities that enable root access are so threatening, is that the attacker can practically use any feature of the camera and beyond," Asaf Karas founder and CTO of VDOO told ZDNet.

"With the right resources, if someone knows of such vulnerabilities for a long time before they are patched -- he or she could definitely violate individual's privacy and organization's security in a significant manner; and also could attack other targets using many of the affected cameras".

Axis published updated firmware for the affected models two months before the research was published.

"Axis strongly recommends end users to update firmware for affected Axis products in a controlled manner. To cost efficiently deploy the upgraded firmware, Axis recommends using the tool Axis Device Manager, which will continuously monitor and notify of available firmware," the company said in a statement.

Those who've not yet updated their camera are advised to do so "immediately" by researchers.

This is far from the first time critical vulnerabilities have been discovered in IP cameras -- and just last week VDOO published research into similar security holes in Foscam cameras.

The researchers have published a list of recommendations to device vendors in order to make devices more secure. They include minimizing the use of shell scripts and ensuring devices use the correct encryption.


Editorial standards