back to article Oops! 185,000-plus Wi-Fi cameras on the web with insecure admin panels

Get ready for the next camera-botnet: a Chinese generic wireless webcam sold under more than 1,200 brands from 354 vendors has a buggy and exploitable embedded web server. According to an advisory by security researcher Pierre Kim this week, the flaws lie within the camera's administration interface – plus the firmware opens …

  1. b0llchit
    Black Helicopters

    A wet dream

    All these computers with no or inadequate security is the surveillance community's(*) wet dream. We all should just bug ourselves and let the watchers watch our watches being watched. It is not about what should be done, but simply how to make a quick buck, regardless of the consequences, a "me too" society (doesn't that sound very familiar in other contexts?).

    Maybe it is best if we turn off the internet...

    (*) euphemism for "the bad guys"

  2. LDS Silver badge

    Same lame product "sold under more than 1,200 brands from 354 vendors".

    I really like how this sector is truly innovative and competitive.

    1. chivo243 Silver badge

      Re: Same lame product "sold under more than 1,200 brands from 354 vendors".

      no longer an innovative or competitive product, sounds like just a commodity now, just something everybody thinks they need and will buy...

    2. imanidiot Silver badge

      Re: Same lame product "sold under more than 1,200 brands from 354 vendors".

      Welcome to the world of today, where a company can build a camera based on a reference design of the video processing chip, tweak the default drivers a little and build a billion units under every imaginable brand. Brand gets tainted due to bad reviews? Tweak the casing a little and release under the next brand name. Ad infinitum.

      1. phuzz Silver badge

        Re: Same lame product "sold under more than 1,200 brands from 354 vendors".

        "build a camera based on a reference design of the video processing chip, tweak the default drivers a little and build a billion units"

        Why would they even bother tweaking the drivers? As long as the branding is correct, pile 'em high and sell 'em cheap!

  3. Doc Ock

    Another day, another IoT security fuck-up.

    1. Smooth Newt
      Happy

      Another IoT security fuck-up.

      Another day, another IoT security fuck-up.

      I don't know if it is a fuck-up if it is deliberate. Still I suppose you can accidentally design in a NAT-busting tunnel into a network camera in the same way as you can accidentally fire an anti-aircraft gun:

      Sergeant Frank Tree: You shouldn't touch the ordnance at all. But more specifically, you should never pull this hand-operating lever to the rear.

      Ward Douglas: Never.

      Sergeant Frank Tree: Do not push a clip of ammunition down into the feed rollers here.

      Ward Douglas: No, sir, never.

      Sergeant Frank Tree: You never restore this lever to firing position. Do not make sure that this cover is completely closed.

      Ward Douglas: No sir.

      Sergeant Frank Tree: Never depress operator's foot triggers here, here and at the rear here.

  4. Zog_but_not_the_first Silver badge
    Holmes

    Insecure by design

    Apologies for posting this again, but much of this tat is insecure (for the user) by design. The older systems frequently advise "easy access to your video stream by entering your router's WAN address, and admin login details on our dedicated web site". I don't expect the newer Plug and Pray P2P based systems to be much better.

  5. wolfetone Silver badge

    There's a lot to be said for having a security system (be it CCTV or alarms) that relies purely on wires and can't be accessed remotely. Isn't there?

    1. phil 27

      Not completely isolated, I really like it when my home automation sends me a urgent mail to my smartphone that a camera recognition event was triggered. When I had hard wired only systems this would have been a major thing, and one property we had a ADT monitored and installed system that had so many false alarms the police refused to attend a alarm event from it.

      Now, I've got a small collection of images of 3am "spiders that like looking very closely at IR emitters" images on my server and it saves having to ring someone and get them out of bed at stupid o clock for a false alarm while we're away for the weekend or something. And if I ring, everyone knows there's a genuine reason because its passed the human filter system.

      Connected done properly = good , connected open with its pants down waiting just so you can write "cloud" or "IoT" on the box = bad.

      1. Anonymous Coward
        Anonymous Coward

        [my] collection of images of 3am "spiders that like looking very closely at IR emitters"

        Presumably there's some kind of online community you could join with those...

      2. wolfetone Silver badge

        "Connected done properly = good , connected open with its pants down waiting just so you can write "cloud" or "IoT" on the box = bad."

        I agree with this bit.

        The problem is though, and I had a friend do this, it's a cost thing. The look at the figures for ADT, think "Na mate, too expensive" because they saw a CCTV kit on Amazon for £100 that they can view on their mobile. So they essentially get all the good bits of ADT but for a one off price.

        That's the problem.

        1. AMBxx Silver badge

          I have a pair of the D-Link cameras that are now known to be insecure. No internet access to them, or from them. They send emails to me of any images. If I need to see what's happening, I just VPN to the network.

          Problem is that 99% of the population just view it as 'just a camera' and don't think about security.

          1. Number6

            While I have a wired system that lives behind a firewall (which actively blocks the camera IPs from the internet), I still positioned the cameras with some thought to what someone else might see if they did manage to hack in. So you get a set of fairly dull views of the outside of the house and cars passing in the street.

            I could probably VPN in to get access, but I've never bothered to try.

  6. phil 27

    Or, if your technically competent, just give it a static ip on your local subnet, and give it a device as its default route that can't route out the subnet. Everyone on the local subnet can still access it, but it can't phone home.

    If you need it "on the cloud", zoneminder on a trusted machine that can route out but doesn't have made in shengzen budget firmware. Or let it upload its images to a local server and rsync over ssh that somewhere public etc.

    We should be designing routers with firewall features like isolation zones for devices like this out the box. But then the routers themselves would have to be made properly and tested.

    Can we swap IoT for a PLoT model please? (protected lan of things). Then we can at least get normal people to make a attempt to bolt the stable door. Add a outer layer to the onion and all that?

  7. happy but not clappy
    Go

    Where's the FTFY squad?

    In "Brazil" the movie, we had Robert De Niro in his finest role as a renegade plumber. Now, as in the movie, no doubt it is a death penalty offence to shutdown these intelligence service backdoors.

    We need the Harry Tuttles.

    https://www.youtube.com/watch?v=teufz17PqoY

  8. Pascal Monett Silver badge
    Facepalm

    "pre-configured connections to AWS, Alibaba and Baidu"

    Just another highway for TLAs to snoop through your stuff without a warrant.

    Oh, and look : things are improving because now Chinese TLAs can participate in the current grab-fest of private details.

    And they call that "progress".

  9. Anonymous Coward
    Anonymous Coward

    So he got command line admin access to a camera on his own LAN, learned how to stream video from the camera on his own LAN, and he announced you could try to brute force the passwords to other peoples cameras on the internet (which will probably be protected against). Wow what a top notch security expert we have here.

  10. heyrick Silver badge

    I have one of these cameras

    I've managed to lock it down better by tweaking the startup file to write a new hosts file with stuff locked to localhost, iptables to nobble the UDP, and a new password pushed in after x seconds.

    Not perfect but it's a start and anyway it is mostly a toy.

    However - something to add to the disclosure. The service's DDNS lets the camera register itself so am address like abc1234@provider.com redirects to the camera. Well, it is configured with a cleartext HTTP request and the update password is banked into the camera's binary. I have used it to update arbitrary cameras (those marked as not being used) which means that it would be a doddle to hijack somebody else's camera.

  11. Boohoo4u

    I can't wait until the sky is filled with (knock off) drones. We haven't seen anything yet.

    I can't believe the FAA allows drones. I can see all kinds of ways they could be exploited by terrorists...

    Remember when a drone got lost and landed on the White House lawn?

    IoT = huge national security threat

    Of course, the security agencies won't do anything, because they'll be exploiting them for their own use.

  12. Winkypop Silver badge
    Headmaster

    You!

    Yes, you behind the bikesheds, stand still laddy!"

  13. DougS Silver badge

    But why would that random TCP port be open to anyone, let alone the internet?

    I suppose if you have unauthenticated public wifi AND these webcams on the same subnet you'd be vulnerable to people on your public wifi, but if you are dumb enough to do that, you deserve your fate.

    I get it that insecure "IoT" devices like this are the plat du jour of security companies these days, but seriously, how worrisome are these attacks in a world where small networks hide behind NAT and big ones behind firewalls?

    It would be a MUCH bigger problem if it was on port 80 or 443, since someone with a webcam might open up that port so they can see it remotely. Leave a backdoor on the standard HTTP or HTTPS port, and the problem is 1000x worse.

    1. LDS Silver badge

      "how worrisome are these attacks in a world where small networks hide behind NAT"

      Problem is "features" like uPnP - which are unluckily supported and enabled by default in most routers. A uPnP device can add port mappings itself...

  14. herman Silver badge
    Devil

    I think myfreecams is much easier to navigate than shodan...

  15. heyrick Silver badge

    This is not news

    I had a cheap webcam. Did a bunch of things to try to secure it.

    Then I made a programming error in a thingy I wrote to fetch images. I requested a URL without the initial / character. And to my horror (exaggeration, I wasn't surprised), the server returned the content completely bypassing the password "security".

    So now I know, I just need to know (or scan) for the camera's DDNS ID, then request "system.ini" (not "/system.ini") and the camera with obligingly return the entire configuration in binary form. Drop it into a text editor and read it the passwords, SSIDs, FTP/email login credentials...

    ... It is a WANSCAM/FOSCAM VGA resolution tilt and turn camera.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019