Hacks to turn your wireless IP surveillance cameras against you

Thousands of wireless IP cameras are vulnerable to remote attacks. At Hack in the Box security conference, researchers showed how to exploit the devices in "To Watch or Be Watched: Turning Your Surveillance Camera Against You" and released a tool to automate attacks.

Sergey Shekyan and Artem Harutyunyan, researchers from the security firm Qualys, said the search engine Shodan shows about 100,000 wireless IP cameras that have "little or no emphasis on security." At the recent Hack in the Box security conference in Amsterdam, the researchers presented, "To Watch or Be Watched: Turning Your Surveillance Camera Against You" [pdf].
According to the abstract, "The web based administration interfaces can be considered as a textbook example of an insecure web application and easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house. Apart from the flaws in the web interface, the cameras also use questionable security practices when it comes to securing the firmware, which leads to even more interesting attack vectors."
Shekyan wrote, "We'll try to get some attention on security flaws of widely available IP surveillance cameras that you can get at Home Depot for as low as $70. It's quite a challenge for us, because we never dealt with embedded devices before, although security issues in the embedded web server of the camera themselves are enough to do whatever you/bad guy/Chinese government want."
Foscam wireless IP cameras are called by different brand names in Europe, but the actual insecure device is the same. According to security researchers, two out of 10 wireless IP cameras in the wild that can be found via Shodan will authenticate you with 'admin' without requiring password. For example, using Shodan to search for 'Netwave IP Camera,' 16,293 wireless IP cameras were found in the US, 15,898 in Germany, and 13,289 in France.

If the wireless IP camera is setup with a user-configured password, the researchers outlined other ways to exploit the device such as brute forcing the password that is limited to 12 characters. They added, "The vast majority of cameras have firmware vulnerable to path traversal vulnerability that allows authentication bypass." Although there has been a firmware update released to patch this hole, about 99% of the devices remain unpatched. This is nearly the same scenario as TRENDnet;  a year after firmware was released, thousands of TRENDnet IP cameras are unpatched, exploitable and still provide a real-time Peeping Tom paradise.
Regarding Foscam wireless IP cameras, US CERT and NIST listed the vulnerability (CVE-2013-2560). The description states, "Directory traversal vulnerability in the web interface on Foscam devices with firmware before 11.37.2.49 allows remote attackers to read arbitrary files via a .. (dot dot) in the URI, as demonstrated by discovering (1) web credentials or (2) Wi-Fi credentials."

Shekyan and Harutyunyan said DoS is yet a different attack scenario and it takes only seconds; since the camera only logs authenticated requests, there are no traces on the camera. An attacker can "grab videostream, email, FTP, MSN, Wi-Fi credentials." Malicious hackers could also host malware, or run arbitrary software such as botnets, proxies, and scanners. Another attack involves creating a backdoor by adding a hidden user to the camera and attacking a victim's browser using BeEF. These cameras are also connected to the local network, meaning that an attacker could exploit it to find and remotely hack other devices that wouldn't normally be accessible from the Internet.
The security researchers released a tool called getmecamtool that automates most of the attacks.

They advised that the wireless IP cameras should not be exposed to an outside network, but had a few suggestions for making the cameras less insecure for people who disregard that advice. These include using a firewall/IPS with strict rules, using a reverse proxy, or isolating the camera from the internal network.