Critical flaws found in Amcrest security cameras wireless IPM-721 series
Launched around 2015, it offers 720p HD quality, two-way audio, the ability to pan and tilt, night vision, rounded off with four hours of cloud storage for your video footage at no extra cost.
This week, we learned that the camera had another less welcome characteristic in the form of six security flaws discovered back in 2017 by a researcher at security outfit Synopsys.
The 721 family has since been superseded by newer designs, which doesn’t, of course, mean that the many thousands of people who bought the product will stop using it just because a researcher has turned up security issues.
Those cameras are out there, an unknown number of which are in a vulnerable state that an attacker might identify using the Shodan search engine if they are configured to be accessible via the internet. Ideally, these cameras need to be identified and patched as soon as possible.
There are really three issues in play here the nature and severity of the flaws, how users should go about updating the firmware to secure their cameras, and why it’s taken until 2019 for owners to hear about them.
According to Threatpost, which spoke to the Synopsys researcher who uncovered the flaws, there are six vulnerabilities, now identified as CVE-2017-8226, CVE-2017-8227, CVE-2017-8228, CVE-2017-8229, CVE-2017-8230 and CVE-2017-13719.
We weren’t able to track down an advisory from Amcrest, but Synopsys posted outlines of each on Bugtraq.
Two of these – CVE-2017-8229 and CVE2017-13719 – earn a CVSS score of 9.8 and 10 respectively, which means they are critical issues.
The first allows an unauthenticated attacker to discover the camera’s admin credentials stored in clear text, facilitating a takeover of the device and, presumably including locking legitimate users out of the UI. Worryingly:
The second is a problem in a stack overflow flaw affecting the camera’s Open Network Video Interface Forum (ONVIF) specification. This, too, could affect other Amcrest IP cameras, allowing devices to be remotely hijacked.