The vulnerabilities allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely.
Security analysts at Bitdefender have published a detailed analysis on vulnerabilities in several lines of EZVIZ Internet of Things (IoT) cameras, a smart home security brand used across the globe.
The vulnerabilities unearthed in at least five EZVIZ camera models could allow a hacker to remotely access the camera, download images, decrypt them, and circumvent authentication to inject code remotely.
"When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images, and decrypt them," the researchers explained. "Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras."
The vulnerabilities spotted in the affected device models are listed below: -
• CS-CV248 [20XXXXX72] - V5.2.1 build 180403
• CS-C6N-A0-1C2WFR [E1XXXXX79] - V5.3.0 build 201719
• CS-DB1C-A0-1E2W2FR [F1XXXXX52] - V5.3.0 build 211208
• CS-C6N-B0-1G2WF [G0XXXXX66] - v5.3.0 build 210731
• CS-C3W-A0-3H4WFRL [F4XXXXX93] - V5.3.5 build 22012
Threat analysts discovered the first vulnerability (tracked as CVE-2022-2471) in the ‘configMotionDetectArea’ API endpoint. Subsequently, they identified an insecure direct object reference vulnerability at multiple API endpoints that pave a path for hackers to gain access to the camera, and a third remote vulnerability allows hackers to exfiltrate the encryption key for the video.
The final security bug, tracked under CVE-2022-2472, lets a hacker recover the administrator password and control the device.
“Our analysis uncovered several vulnerabilities in the EZVIZ smart devices and their API endpoints that could allow an attacker to carry out a variety of malicious actions, including remote code execution and access to the video feed,” said Dan Berte, director, IoT Security at Bitdefender. One of the main features of these devices is the ability to be accessed from anywhere the user has an internet connection.”
The researchers advised users to apply the patches, update the software immediately, and regularly visit the manufacturer’s website for any EZVIZ camera security-related news.
Last year in August, BitDefender security experts unearthed multiple zero-day vulnerabilities in a home baby monitor, made by China-based developer Victure. In a security report, researchers disclosed the stack-based buffer flaw present in the ONVIF server Victure PC420 component camera that allows hackers to plant remote codes on the victim device. When exploited, hackers can discover cameras (not owned by them) and command devices to broadcast camera feeds to a third party and exploit the camera firmware.