Vulnerabilities in almost 400 models of internet connected video camera by one manufacturer could allow attackers to take remote control of devices for use as a surveillance tool with the ability to snoop on any audio or video it recorded.
By exploiting vulnerabilities in the internet-connected cameras from Axis Communications, researchers at security firm VDOO[1] found that remote attackers could take over devices using just the IP address and without previous access to the camera or its login credentials.
The vulnerabilities have been disclosed to Axis, which has updated the firmware of all the affected products[2] in order to protect users from falling victim to an attack. In a blog post, VDOO states that "to the best of our knowledge, these vulnerabilities were not exploited in the field".
In total seven vulnerabilities in the cameras were discovered and researchers have detailed how three of them could be chained together in order to provide remote access to the cameras and execute remote shell commands with root privileges.
See also: What is the IoT? Everything you need to know about the Internet of Things right now[3]
These include providing access to the camera's video stream, the ability to control where the camera is looking and to control motion detection and the ability to listen to audio. There's also the potential for cameras exploited in this way to be used as an entry point in the network for a wider attack, as well as the possibility of the camera being roped into a malicious botnet.
"The reason that vulnerabilities that enable root access are so threatening, is that the attacker can practically use any feature of the camera and beyond," Asaf Karas founder and CTO of VDOO told ZDNet.