Ten million EZVIZ cameras with vulnerabilities 

Bitdefender_News

Share post

Bitdefender Labs security researchers have discovered several vulnerabilities in popular EZVIZ smart cameras. Hackers can combine them and gain control over systems and access to content. An estimated ten million devices are affected.

To do this, the perpetrators bypass existing authentication mechanisms. Bitdefender has informed the manufacturer and provided updates. Users should definitely patch and update their cameras. It is estimated that around ten million devices are affected. The estimate is based on known Android and iOS installations.

Access to the video feed

On the one hand, hackers can use the gaps in the API endpoints to perform various actions on unpatched cameras and gain access to the video feed. Also, they can extract the code for decrypting the images. Finally, they are able to recover the admin password, giving them full control over a camera.

API endpoint vulnerabilities

The experts diagnosed various vulnerabilities in the EZVIZ intelligent devices and their API endpoints. The attackers use the constantly active and open communication channels between the smartphone app and the device via the cloud via MQTT tunnel or HTTPS.

While one of the channels handles the audio-video stream, the second channel transmits control commands and configuration commands that a user sends to the API endpoint via the smartphone app. The /api/device/configMotionDetectArea API endpoint that configures motion detection does not check whether a command from the cloud server has the intended length in the local stack buffer. In the case of buffer overflow, the hackers can execute code remotely.

🔎 Communication between smartphone app and EZVIZ camera via the cloud (Image: Bitdefender).

Other API endpoints have vulnerabilities due to an insecure direct reference to objects. Cyber ​​criminals can access other users' resources simply by needing the resource's ID. There is no control of the access rights of the person. Since the IDs are assigned serially, the attackers only need to increment them in order to be able to access other resources. The attackers then send their payload and – as already described – can execute the code directly after a buffer overflow.

View encrypted images

The images encrypted by the camera when they are saved can actually only be decrypted using a random verification code. Each camera has its own code. However, the short codes can easily be opened up using brute force attacks. Additional passwords for encrypting the recorded material can be called up simply by knowing the serial number of a device.

Access to the administrator password

A service via port 8000 to control and configure the camera in the same local network allows attackers under certain conditions to obtain the administrator password after a request and thus have full control of the camera. This is the case, for example, if no user had authenticated himself after commissioning.

More at Bitdefender.com

 


About Bitdefender

Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de


 

Matching articles on the topic

Curious: Malware developer gives himself away through mistakes

Exposing the Styx Stealer: How a hacker's slip-up led to the discovery of a huge amount of data on his own computer. The ➡ Read more

NIS2 Directive for cybersecurity in the EU

The introduction of the EU NIS2 Directive, which is to be implemented into national law by the Member States by October 2024, brings ➡ Read more

Best-of-breed for cybersecurity

History repeats itself, even in the area of ​​cybersecurity. There are cycles of consolidation and modularization. Currently, consolidation is again ➡ Read more

Webinar 17 September: Implementing NIS2 in a legally compliant manner

NIS2 Deep Dive: In a free, German-language webinar on September 17th from 10 a.m., a lawyer will explain how companies ➡ Read more

Narrative attacks: false facts, real consequences

The danger is diffuse and difficult to grasp: While companies increasingly have to find their way in the complex landscape of cyber attacks, ➡ Read more

Vulnerability in the Google Cloud Platform (GCP)

An exposure management company announces that its research team has identified a vulnerability in the Google Cloud Platform (GCP) ➡ Read more

NIST standards for quantum security

The publication of the post-quantum standards by the National Institute of Standards and Technology (NIST) marks a decisive step forward in securing ➡ Read more

Cisco licensing tool with critical 9.8 vulnerabilities

Cisco reports critical vulnerabilities in the Cisco Smart Licensing Utility that achieve a CVSS score of 9.8 out of 10. These vulnerabilities ➡ Read more

[starbox id=USER_ID] <🔎> ff7f00

 

 

 

The analysis is part of an ongoing project in which Bitdefender Labs experts are investigating the specific security of IoT hardware. The full report is available at: https://www.bitdefender.com/files/News/CaseStudies/study/423/Bitdefender-PR-Whitepaper-EZVIZ-creat6311-en-EN.pdf .

Download the higher resolution images here: https://www.dropbox.com/sh/zm5bu7tp137vfed/AABg8UQcO54h0NBdY44M6Gwca?dl=0 .

Copyright for all images: Bitdefender.

Figure 1: Communication between app and smartphone via the cloud.

Figure 2: Remote execution via APIs: after requesting a panorama shot, third parties can download the images.