CANCUN, Mexico – Tech firm Hanwha Techwin is racing to fix 13 critical security holes found in its popular line of SmartCam security cameras. The patch rollout is part of public disclosure of the vulnerabilities set for today by researchers who discovered the bugs.
Flaws range from the use of an insecure HTTP communications protocol to a weak protection of credentials that could allow an attacker to take control of the camera or even use the device as a springboard to launch attacks within a connected network.
Kaspersky Lab researchers disclosed the vulnerabilities Thursday and coordinated with the device manufacturer who said it was in the process of deploying patches to fix firmware used in its Hanwha model SNH-V6410PN/PNW SmartCam security camera.
The model camera in question is used by both consumer and small business and is sold primarily in South Korea and Europe. According to Kaspersky’s ICS CERT team over 2,000 of the cameras have publicly accessible IP addresses. However, they believe the actual number of V6410PN cameras vulnerable to attack is likely higher.
“We believe there are even more of these cameras in use, but inside protected networks,” said Vladimir Dashchenko of Kaspersky Lab in an interview ahead of the release of a report on the Hanwha cameras debuted here at the company’s Security Analyst Summit.
More troubling, researchers said the flaw could exist across a large segment of Hanwha Techwin cameras that used similar firmware and infrastructure. Researchers only tested the V6410PN model camera and it’s unclear how many model cameras Hanwha is issuing patches for.
According to researchers, the prerequisite for such attacks is the adversary must first know the serial number of the camera it is attacking, which they say it relatively easy to obtain. “The way in which serial numbers are generated is relatively easy to find out through simple brute-force attacks: the camera registering system doesn’t have brute force protection,” Kaspersky researchers noted.
The camera’s fatal flaw is a misconfigured Hanwha communications protocol used with the third-party cloud-based service Cisco Jabber, which allows device owners to interact with their camera.
“One of the main problems associated with the cloud architecture is that it is based on the XMPP (Jabber) protocol. Essentially, the entire Hanwha smart camera cloud is a Jabber server. It has so-called rooms, with cameras of one type in each room. An attacker could register an arbitrary account on the Jabber server and gain access to all rooms on that server,” according to the report.
Four of the 13 bugs are related to the cloud functions of the camera platform, with the remainder tied to the device itself.
The most serious flaws opens an attack vector where an adversary can root the camera and spoof the DNS server addresses specified in the camera’s settings, which could then be used as a launch pad to conduct additional attacks on devices sharing the same local network.
“This (attack) is possible because the update server is specified as a URL address in the camera’s configuration file. This type of attack can be implemented even if a camera doesn’t have a global IP address and is located within a NAT subnet,” researcher said.
“The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most of security problems – or at least significantly decrease the severity of existing issues,” Dashchenko said.
In many cases this is correct, he said. “However, our research shows that this may not actually be the case at all: given that the cameras we investigated were able to talk with the external world only via a cloud service, which is totally vulnerable,” he said.
A full list of vulnerabilities that could be used in attack scenarios include:
* Use of insecure HTTP protocol during firmware update
* Use of insecure HTTP protocol during camera interaction via HTTP API
* An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
* Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
* A feature for the remote execution of commands with root privileges
* A capability to remotely change the administrator password
* Denial of service for SmartCam
* No protection from brute force attacks for the camera’s admin account password
* A weak password policy when registering the camera on the server xmpp.samsungsmartcam.com. Attacks against users of SmartCam applications are possible
* Communication with other cameras is possible via the cloud server
* Blocking of new camera registration on the cloud server
* Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
* Restoration of camera password for the SmartCam cloud account