With the proliferation of the Internet of Things and a lack of regulation governing its security level, vulnerable devices pose a risk to the entire home network. Even though they’re designed for security, many IP cameras come with flaws hackers can exploit for malicious activity against their owners. Two surveillance products, CXS 2200 from Loftek and C7837WIP from VStarcam, fall under this category, with researchers counting more than 20 security bugs during their tests.
The problems discovered in the firmware of the two cameras could let an attacker spy on the victim via sound and video, gain control of other devices on the network, or turn the product into a bot for distributed denial-of-service attacks. The warning comes from Checkmarx researchers, who evaluated the wireless IP cameras, which are highly appealing to consumers because of their low price.
One common vulnerability in IoTs is telnet communication – an insecure connection used in the past to access remote computers. Telnet connectivity is also enabled in the VStarcam C7837WIP, although it is undocumented. This was among the first issues uncovered and exploited by the researchers.
On Loftek CXS 2200, a cross-site request forgery (CSRF) vulnerability allows a hacker to send a variety of commands to the camera, including one to create users with administrator privileges. The tests have gone beyond this and shown it could be possible to add a user that was almost invisible in the camera’s interface, by naming it with the hexadecimal representation (“20%”) for a blank space and leaving the default password.
Checkmarx says the firmware powering Loftek and VStarcam products is also present in camera models from other manufacturers, a practice also exposed by Bitdefender in a recent study. Researchers estimate that the number of vulnerable cameras online exceeds 1 million.
Just as in the case of the NEO Coolcams research, Loftek and VStarcam did not respond to the vulnerability disclosure attempts, and firmware updates for their IP cameras are not available publicly – this makes it difficult for regular users to install a version with fewer security risks. Because the firmware runs on products from other vendors, it would be possible to apply it to Loftek and VStarcam devices, although it may not be fully compatible and may not support all the features.