Ten million EZVIZ cameras with vulnerabilities 


Share post

Bitdefender Labs security researchers have discovered several vulnerabilities in popular EZVIZ smart cameras. Hackers can combine them and gain control over systems and access to content. An estimated ten million devices are affected.

To do this, the perpetrators bypass existing authentication mechanisms. Bitdefender has informed the manufacturer and provided updates. Users should definitely patch and update their cameras. It is estimated that around ten million devices are affected. The estimate is based on known Android and iOS installations.


Access to the video feed

On the one hand, hackers can use the gaps in the API endpoints to perform various actions on unpatched cameras and gain access to the video feed. Also, they can extract the code for decrypting the images. Finally, they are able to recover the admin password, giving them full control over a camera.

API endpoint vulnerabilities

The experts diagnosed various vulnerabilities in the EZVIZ intelligent devices and their API endpoints. The attackers use the constantly active and open communication channels between the smartphone app and the device via the cloud via MQTT tunnel or HTTPS.


Subscribe to our newsletter now

Read the best news from B2B CYBER SECURITY once a month

By clicking on "Register" I agree to the processing and use of my data in accordance with the declaration of consent (please open for details). I can find more information in our Privacy policy. After registering, you will first receive a confirmation email so that no other person can order something you don't want.
Expand for details on your consent
It goes without saying that we handle your personal data responsibly. If we collect personal data from you, we process it in compliance with the applicable data protection regulations. Detailed information can be found in our Privacy policy. You can unsubscribe from the newsletter at any time. You will find a corresponding link in the newsletter. After you have unsubscribed, your data will be deleted as soon as possible. Recovery is not possible. If you would like to receive the newsletter again, simply order it again. Do the same if you want to use a different email address for your newsletter. If you would like to receive the newsletter offered on the website, we need an e-mail address from you as well as information that allows us to verify that you are the owner of the e-mail address provided and that you agree to receive the newsletter. Further data is not collected or only collected on a voluntary basis. We use newsletter service providers, which are described below, to process the newsletter.


This website uses CleverReach to send newsletters. The provider is CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany (hereinafter “CleverReach”). CleverReach is a service that can be used to organize and analyze the sending of newsletters. The data you enter for the purpose of subscribing to the newsletter (e.g. email address) will be stored on the CleverReach servers in Germany or Ireland. Our newsletters sent with CleverReach enable us to analyze the behavior of the newsletter recipients. This can include It is analyzed how many recipients have opened the newsletter message and how often which link in the newsletter was clicked. With the help of so-called conversion tracking, it can also be analyzed whether a previously defined action (e.g. purchase of a product on this website) took place after clicking on the link in the newsletter. Further information on data analysis by CleverReach newsletter is available at: https://www.cleverreach.com/de/funktionen/reporting-und-tracking/. The data processing takes place on the basis of your consent (Art. 6 Para. 1 lit. a DSGVO). You can revoke this consent at any time by unsubscribing from the newsletter. The legality of the data processing operations that have already taken place remains unaffected by the revocation. If you do not want an analysis by CleverReach, you must unsubscribe from the newsletter. For this purpose, we provide a corresponding link in every newsletter message. The data you have stored with us for the purpose of subscribing to the newsletter will be stored by us or the newsletter service provider until you unsubscribe from the newsletter and deleted from the newsletter distribution list after you have canceled the newsletter. Data stored by us for other purposes remain unaffected. After you have been removed from the newsletter distribution list, your e-mail address may be stored by us or the newsletter service provider in a blacklist if this is necessary to prevent future mailings. The data from the blacklist is only used for this purpose and is not merged with other data. This serves both your interest and our interest in complying with the legal requirements when sending newsletters (legitimate interest within the meaning of Art. 6 Para. 1 lit. f GDPR). Storage in the blacklist is not limited in time. You may object to the storage if your interests outweigh our legitimate interest. For more information, see the privacy policy of CleverReach at: https://www.cleverreach.com/de/datenschutz/.

Data processing

We have concluded an order processing contract (AVV) for the use of the above-mentioned service. This is a contract required by data protection law, which ensures that the personal data of our website visitors is only processed according to our instructions and in compliance with the GDPR.

While one of the channels handles the audio-video stream, the second channel transmits control commands and configuration commands that a user sends to the API endpoint via the smartphone app. The /api/device/configMotionDetectArea API endpoint that configures motion detection does not check whether a command from the cloud server has the intended length in the local stack buffer. In the case of buffer overflow, the hackers can execute code remotely.

🔎 Communication between smartphone app and EZVIZ camera via the cloud (Image: Bitdefender).

Other API endpoints have vulnerabilities due to an insecure direct reference to objects. Cyber ​​criminals can access other users' resources simply by needing the resource's ID. There is no control of the access rights of the person. Since the IDs are assigned serially, the attackers only need to increment them in order to be able to access other resources. The attackers then send their payload and – as already described – can execute the code directly after a buffer overflow.

View encrypted images

The images encrypted by the camera when they are saved can actually only be decrypted using a random verification code. Each camera has its own code. However, the short codes can easily be opened up using brute force attacks. Additional passwords for encrypting the recorded material can be called up simply by knowing the serial number of a device.

Access to the administrator password

A service via port 8000 to control and configure the camera in the same local network allows attackers under certain conditions to obtain the administrator password after a request and thus have full control of the camera. This is the case, for example, if no user had authenticated himself after commissioning.

More at Bitdefender.com


About Bitdefender

Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de


Matching articles on the topic

Bitmarck & health insurance companies: There are still failures

More than 2 months ago, the IT provider for dozens of health insurance companies and company health insurance companies, Bitmarck, was hit by a cyber attack. Even whole had to ➡ Read more

AOK: Software vulnerability - BSI confirms data leak

The AOK and many of their nationwide offices use the software product MOVEit Transfer. There is now the dangerous vulnerability CVE-2023-34362, ➡ Read more

COSMICENERGY: OT malware is designed to cause power outages

Mandiant is reporting a new specialized Operational Technology (OT) malware being observed under the name COSMICENERGY. The malware ➡ Read more

Lockbit steals 700 GB of data from MCNA with 9 million customers

MCNA Dental, North America's largest dental insurer, has had to inform all of its nearly 9 million customers at a loss of 700 ➡ Read more

Zero Trust: Advanced User Intelligence

A Zero Trust Data Security company presents its Advanced User Intelligence. The new functions support companies in preventing cyber attacks ➡ Read more

Attacks using Web3 IPFS technology

IPFS is a Web3 technology that decentralizes and distributes the storage of files and other data on a peer-to-peer network. Like any ➡ Read more

Tesla: Employee probably passed on 100 GB of data

According to a report by the Handelsblatt, a former Tesla employee claims to have stolen 100 GB of data and has given it to the editors ➡ Read more

Insecure video conferencing

Online meetings offer cybercriminals a good opportunity to cause enormous damage to companies. The cases of industrial espionage via video conference, hacking or data theft are increasing ➡ Read more

[starbox id=USER_ID] <🔎> ff7f00




The analysis is part of an ongoing project in which Bitdefender Labs experts are investigating the specific security of IoT hardware. The full report is available at: https://www.bitdefender.com/files/News/CaseStudies/study/423/Bitdefender-PR-Whitepaper-EZVIZ-creat6311-en-EN.pdf .

Download the higher resolution images here: https://www.dropbox.com/sh/zm5bu7tp137vfed/AABg8UQcO54h0NBdY44M6Gwca?dl=0 .

Copyright for all images: Bitdefender.

Figure 1: Communication between app and smartphone via the cloud.

Figure 2: Remote execution via APIs: after requesting a panorama shot, third parties can download the images.