Two Argentine researchers they released a serious flaw of security in a series of models of video surveillance cameras very popular in Argentina, of the brand ezviv. The presentation was in defconthe world’s largest hacker conference, which takes place every year in Las Vegas.
“If an attacker wanted to, they could take advantage of this vulnerability to use it as in The Great Scam and replace live evidence in the best Hollywood style”, he explained to Clarion Octavio Gianatiempo, who together with Javier Aguinaga explained how this vulnerability works.
Gianatiempo found the problem when his boss asked him for a hand to fix a camera because it didn’t work. Like all hackers, “one thing led to another” and ended up analyzing the firmware of the camera (the program that is embedded in the device) and looking for vulnerabilities.
“The proposal of the talk was to show how we found these vulnerabilities and how they could be exploited by an attacker. They allow take full control of the camera from the local wired or Wi-Fi network to which it connects. Once an attacker takes control of the camera, he can do whatever he wants, ”says Gianatiempo.
“In our case and to illustrate the potential risk of this scenario, we show how an attacker could modify the video feed without a victim noticing. This could be used how in The Great Scam”, he adds, referring to the 2001 film in which a group of criminals orchestrate a robbery of 5 casinos in, precisely, Las Vegas.
The purpose of this type of investigation has to do with alerting about the problems that devices that are widely used, such as this type of security cameras, may have, in addition to alerting about the problem so that the brand officially releases a security patch.
“Basically, what we seek is to raise awareness about a problem that persists in the IoT industry and devices connected to the internet. The security standards and practices in the development of its software have a lot to improve compared to other industries, even in devices that are designed to be used in surveillance or security contexts, as is the case with cameras”, he adds.
“This is even worse in low cost models given that bad practices are combined with their massiveness, increasing the impact of the vulnerabilities they possess”, continues the analyst.
Last year, both researchers presented at Defcon 30 and ekopartyone of the largest hacking conventions in Latin America, a very serious vulnerability in one of the best-selling modems in the entire region.
Ezviv’s discovery and reaction
Once the problem was reported by Gianatiempo and Aguinaga, Ezviv issued a statement for users to update the software of the camcorders. However, one of the difficulties with this type of problem is that not all update.
“Firmware updates for embedded devices always have higher resistance from users. Perhaps because making a mistake in the process can leave the device unusable (“bricked“, as they say)”, analyzes the hacker.
“Historically they had to be applied manually by users. To change this situation, manufacturers are moving to automatic or non-cancellable updates by the user, can only be postponed for a certain period of timeas in the case of operating systems. In the case of these cameras, it is an intermediate situation: the application notifies the user but they can choose not to update”, I warned.
In this sense, when vulnerabilities of this type are discovered, companies usually have official communication channels to receive reports of problems and fix them.
“It is increasingly common for brands to have a security contact to report vulnerabilities and a team in charge of studying the reports they receive. Once the validity of the report is established, a schedule of patching and distribution of the update to users”, explains the hacker.
“After the update is available, or after a certain percentage of users have patched, the manufacturer usually issues a statement about the vulnerability giving credit to those who reported it and the researchers can make their finding public,” he adds.
Some companies reward financially or have vulnerability hunting programs (bug bounty), although there is also a parallel market in which this type of information is bought and sold (exploits) with a system of brokers.
What to do if you have this model of camera
When these problems are detected, the urgent rule is always the same: update the software.
“Regarding this case, it is possible to update the firmware of cameras from the mobile application that manages them, it is called EZVIZ App and it is in the Google Play Store”, he explains to Clarion Ernesto Bernal, cybersecurity researcher.
“Once our camera has been added, we must go to ‘Settings’, ‘Device Version’ and there we can see the current version that we have installed and we have the possibility of updating to the most recent one,” he continues.
This has to do with Ezviv releasing a security patch for this issue, and until the user updates, it will not be covered.
“The recommendation is to always have our firmware updated to the latest version available to avoid being exposed to vulnerabilities that may affect our privacy,” closed Bernal.
SL
