Two Popular IP Cameras Riddled With Vulnerabilities

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Two consumer-grade IP-enabled security cameras manufactured by Loftek and VStartcam are riddled with nearly two dozen vulnerabilities that expose them to remote attacks. According to researchers, more than 1.3 million of the cameras are in use today, with 200,000 models located in the United States.
Click to expand...


Researchers said red flags popped up immediately when testing the Loftek and VStartcam cameras, both manufactured in China.

“As our initial scans came to an end, we reached the conclusion that if your (Loftek and VStarcam) camera is connected, you’re definitely at risk. It’s as simple as that,” Checkmarx researchers wrote.

Obvious vulnerabilities included hardcoded credentials, an inability to update the firmware, lack of support for HTTPS and an undocumented Telnet port in the VStartcam camera.


Lack of HTTPS support is bad enough, said Amit Ashbel, cyber-security evangelist at Checkmarx. He said that vulnerability alone allowed an attacker to send a clear text GET request to the camera containing a variety of different commands to gain a foothold on the device.
Click to expand...


Both cameras were also vulnerable to a raft of problems including cross-site request forgery vulnerabilities, stored cross-site scripting flaws, server-side request forgery and HTTP response splitting bugs. In total, 21 exploits were tested and confirmed.
Click to expand...

Despite 1.3 million devices being still in use, both cameras are no longer sold. However, in further scans of the internet using the Shodan search engine, additional camera models were found that also used the same vulnerable firmware that included; Foscam, Advance, Wanscan, Apexis, Visioncam, Eshine and EyeSight.

“There may be a scenario where an attacker could use either of the cameras’ settings to send spam emails or flood the victim’s inbox. With a simple script, an attacker could launch such an attack with little-to-no effort,” the report stated.

“The cameras are vulnerable by default, and—especially the Loftek 2200—which could be used as a backdoor to your network. It is clearly worth spending a bit more money on a more secure camera,” Ashbel said.
Click to expand...
 
  • Like
Reactions: Fritz and frogboy
You must log in or register to reply here.

Similar threads

Ink
    • Like
Privacy News Wyze cameras showing strangers' home, again
Replies
1
Views
1,231
Security News
vtqhtr413
vtqhtr413
vtqhtr413
    • +Reputation
    • Thanks
    • Like
The Hidden Features Of Your Android Phone's Camera
Replies
0
Views
515
News Archive
vtqhtr413
vtqhtr413
Ink
    • Like
Arlo EOL Policy for some 2014 and 2016 cameras
Replies
7
Views
565
News Archive
HarborFront
H

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top