Trivial Bug Turns Home Security Cameras Into Listening Posts

silversurfer · Jul 31, 2019

A vulnerability in the consumer-grade Amcrest IP2M-841B IP home security video camera would allow an attacker to remotely listen to the camera’s audio over the internet, without authentication.

“Essentially, if this thing is connected directly to the internet, it’s anyone’s listening device,” explained Jacob Baines, researcher with Tenable Security, in a posting on the flaw this week.

The bug (CVE-2019–3948) exists in the firmware of the device, which is based on OEM code from another vendor, Dahua (a Chinese company that the U.S. is considering blacklisting over espionage concerns). Tenable found that, like many Wi-Fi-enabled Dashua devices, the IP2M-841B has a service listening on TCP port 37777.