A bug in the IoT camera allowed listening on its owners

Information security researchers have discovered a serious vulnerability in the Amcrest security camera. The bug, which received the identifier CVE-2019-3948, made it possible to remotely listen to audio via HTTP without authentication. The manufacturer acknowledged the error and released a patch on July 29, and also updated the firmware on their devices.

Specialist of the information security company Tenable Jacob Baines discovered an error while analyzing the firmware of his own camera.

“Connecting to the audio stream is a trifle. Just tell the browser or other tool, such as a VLC player, the endpoint of the video broadcast”, – the researcher said in a post on Medium.

Baines added that when using VLC for listeting, it would be necessary to write a special script to read DHAV files and play them using ffplay.

Thus, a camera connected to the Internet can turn into a listening device.

Read also: ESET discovered a new version of the Okrum Trojan from APT15 grouping

Careful inspection revealed that Amcrest is one of the many companies on the US market that produce products of the Chinese company Dahua under its own brand. Lawmakers banned use of its cameras in the country after in 2017 they discovered a backdoor in devices that received the identifier CVE-2017-7927.

According to Bloomberg reporters, despite the fact that Dahua immediately patched the found bug, the government was still afraid of the possibility of spying and sending the collected information to China.

Experts have found that error CVE-2017-7927 still exists in the renamed Dahua devices. In particular, the Amcrest IP2M-841B is still vulnerable to attack if the user’s password is eight characters long.

Researchers reported to the company in May about both bugs and noted that Amcrest, apparently, already knew about these problems.