News

A bug in the IoT camera allowed listening on its owners

Information security researchers have discovered a serious vulnerability in the Amcrest security camera. The bug, which received the identifier CVE-2019-3948, made it possible to remotely listen to audio via HTTP without authentication. The manufacturer acknowledged the error and released a patch on July 29, and also updated the firmware on their devices.

The problem concerns Amcrest IP2M-841B IP camera, which is capable of shooting 1080p video even in low light conditions. You can manage it through a smartphone or computer, and the footage can be uploaded to the cloud if you have a subscription.

Specialist of the information security company Tenable Jacob Baines discovered an error while analyzing the firmware of his own camera.

“Connecting to the audio stream is a trifle. Just tell the browser or other tool, such as a VLC player, the endpoint of the video broadcast”, – the researcher said in a post on Medium.

Baines added that when using VLC for listeting, it would be necessary to write a special script to read DHAV files and play them using ffplay.

Jacob Baines
Jacob Baines

Thus, a camera connected to the Internet can turn into a listening device.

Read also: ESET discovered a new version of the Okrum Trojan from APT15 grouping

Careful inspection revealed that Amcrest is one of the many companies on the US market that produce products of the Chinese company Dahua under its own brand. Lawmakers banned use of its cameras in the country after in 2017 they discovered a backdoor in devices that received the identifier CVE-2017-7927.

According to Bloomberg reporters, despite the fact that Dahua immediately patched the found bug, the government was still afraid of the possibility of spying and sending the collected information to China.

Experts have found that error CVE-2017-7927 still exists in the renamed Dahua devices. In particular, the Amcrest IP2M-841B is still vulnerable to attack if the user’s password is eight characters long.

Researchers reported to the company in May about both bugs and noted that Amcrest, apparently, already knew about these problems.

Experts recommend users to update the firmware of devices as soon as possible, and to better protect privacy, eg. do not connect cameras to the Internet.

William Reddy

I am from Ireland. My parents bought me a computer when I was 11, and several month after I have got a virus on this PC. I decided to enter the INSA Centre Val de Loire university after being graduated from the school. This French educational institution was offering a brand-new cybersecurity course. After getting the master degree in cybersecurity, I've started working in as virus analyst in a little anti-malware vendor. In 2018, I've decided to start Virus Removal project. The main target of this site is to help people to deal with PC viruses of any kind.

Leave a Reply

Your email address will not be published. Required fields are marked *

Sending

Back to top button