Several zero-day vulnerabilities in a home baby monitor could be exploited to allow hackers access to the camera feed and plant unauthorized code such as malware.
The security flaws in the IoT devices, which are manufactured by China-based vendor Victure, were discovered by researchers from Bitdefender.
In a security advisory (PDF), Bitfender detailed how a stack-based buffer overflow vulnerability in the ONVIF server component of Victure’s PC420 smart camera allowed an attacker to execute remote code on the target device.
If exploited, an attacker could discover cameras that they do not own, instruct these cameras to broadcast their feeds to unauthorized third parties, and compromise the camera firmware.
“While we cannot envision all the scenarios, we conservatively estimate that a determined hacker could use these vulnerabilities to spy on camera owners in their homes constantly, or allow others to engage in such activity,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, told The Daily Swig.
Botezatu warned: “The camera and cloud platform are extremely popular choices among IoT users and we estimate that around four million cameras deployed worldwide are affected by this issue.”
This issue affects Victure PC420 firmware versions 1.2.2 and prior.
Vendor silence
Bitdefender released details of the vulnerabilities after attempting to contact Victure to report their findings for a year, said Botezatu.
He told The Daily Swig: “We have made multiple attempts to get in touch with the vendor to offer our expertise in fixing these issues, but to no avail.
“We have decided to publish the research to at least let the users know that they are possibly sacrificing their privacy every minute they keep this device connected to their network.”
Security trumps price point
Concerned users should “stop using these devices altogether”, the researcher advised, adding that parents should prioritize security over the cost of a device.
Botezatu explained: “When choosing a baby monitor, the security aspect should trump features or price point.
“This is because similar vulnerabilities have been used in the past by threat actors to directly communicate with children, thus exposing them to interactions with adults outside the family’s circle of trust.
“We have been warning about the dangers of vulnerable video equipment for years and we started this vulnerability research project to help parents protect their privacy, as well as their children’s.”
The researcher added: “Sometimes, vendors choose to ignore these gaping holes and leave customers exposed instead.
“We have decided to publish our findings because we want potentially affected customers to be aware of the risks they face when using such products and let them decide whether it’s an acceptable one or not.”
The Daily Swig has reached out to Victure for comment.
Source: https://portswigger.net/daily-swig/zero-day-flaws-in-iot-baby-monitors-could-give-attackers-access-to-camera-feeds
