What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking. The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.

Nearly 200,000 WiFi Cameras Open to Hacking Right Now
https://www.bleepingcomputer.com/news/security/nearly-200-000-wifi-cameras-open-to-hacking-right-now/

What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking.

The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.

Security researcher Pierre Kim says the firmware produced by this Chinese vendor comes with several flaws, which have all made their way down the line into the products of other companies that bought the white-label (unbranded) camera. In total, nearly 1,250 camera models based on the original camera are affected.

According to Kim, the cameras are affected by a total of seven security flaws. The biggest ones are listed below.

Backdoor account – Telnet runs by default, and everyone can log in with the following credentials

Pre-auth info and credentials leak – An attacker can bypass device authentication procedures by providing empty “loginuse” and “loginpas” parameters when accessing server configuration files

Pre-auth RCE as root – An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.

Streaming without authentication – An attacker can access the camera’s built-in RTSP server on port 10554 and watch a live video stream without having to authenticate

Cloud – The camera provides a “Cloud” feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device’s credentials.

Nearly 200,000 vulnerable cameras available online right now

Yesterday, Kim said that around 185,000 vulnerable cameras could be easily identified via Shodan. Today, the same query yields 198,500 vulnerable cameras.

“I advise to IMMEDIATELY DISCONNECT cameras [from] the Internet,” Kim said in a blog post. “Hundreds of thousands [of] cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network.”