The cybersecurity and anti-virus company Bitdefender has found several weaknesses in two cameras manufactured by the Chinese company Shenzhen Neo Electronics.
The cybersecurity and anti-virus company
Bitdefender has found several weaknesses in two cameras manufactured by the Chinese company Shenzhen Neo Electronics. The two models, iDoorbell and NIP-22 were found to have a number of buffer overflow vulnerabilities, some even before the authentication process. Bitdefender suspects that all cameras sold by the company use the same software and hence are vulnerable. Given the low price range of these products, there is a large number of them in use around the world.
Cyber security of certain Chinese security camera manufacturers has often been a topic of debate among industry professionals. But what is interesting about Bitdefender’s finding is that the firmware that was used in these cameras was used by other companies too, making them equally vulnerable.
Speaking to asmag.com, Alex Balan, Chief Security Researcher at Bitdefender, said a German company that used the same firmware was also found vulnerable to attacks.
“We also found an interesting thing, that is, the firmware embedded in those devices [two Chinese cameras] was also used by other brands,” Balan said. “That’s why the attack is on such a big scale and the vulnerabilities are on such a big scale because you are going to find the same vulnerability in other brands. For example, we identified a German company that was producing cameras with a different design, a different look and feel, a different interface but the same firmware with the same vulnerabilities.”
Balan was not willing to name the German company, although he added that the said company had fixed their camera. The important point here, Balan points out, is that there are several manufacturers out there that use the same firmware, spreading the vulnerability across the board.
The important point here, Balan points out, is that there are several manufacturers out there that use the same firmware, spreading the vulnerability across manufacturers.
The vulnerabilities that were found in the two cameras could, under certain conditions, allow remote code execution on the device, the report said. The same kind of vulnerabilities is also seen in the gateway that controls the sensors and alarms.
Both the iDoorbell and NIP-22 use UPnP to open ports on the router, so they are accessible from the outside world. Researchers at Bitdefender used the Shodan search engine to find all the cameras that could be discovered online. They report having found about 100,000 to 140,000 devices on a search for the HTTP web server. A search for RTSP server threw up similar results. It is important to note that these are not necessarily the same devices, as some have only one service forwarded. In Bitdefender’s estimates, the real number of unique devices is around 175,000.
Asked if there were any particular reasons for choosing Shenzhen Neo Electronics’ products to scrutinize, Balan said no. Bitdefender does a lot of research on IP vulnerabilities, and the Chinese brand was picked up at random. He also indicated that it wouldn’t be possible to say that Chinese manufacturers’ products are more vulnerable than those from other countries, because they have found issues with devices from all over the world.
“Basically we do this to understand how IoT [devices] can get compromised,” Balan said. “And we are trying to figure out how they can get compromised en masse, so not just proximity-based attacks. We are not trying to look at a specific company but just trying to understand the exposure and the things that would have a high impact on a larger scale.”
Although he recommends IoT product manufacturers to do a thorough evaluation before they put it out in the market, flaws are inevitable in the long run. What vendors can do, on their part, is to make sure they have a robust update system. If there is a system that ensures that manufacturers know about flaws as soon as they are uncovered and roll out an update that essentially fixes the problem, concerns can be minimized to some extent.
Image source: Shenzhen Neo Electronics