EZVIZ video cameras can be accessed remotely – Security

Researchers from security provider Bitdefender have discovered a series of serious vulnerabilities that could be used to remotely control EZVIZ network cameras without authentication, in order to download and decrypt images.

Bitdefender was able to create an attack chain of four different bugs to take control of the EZVIZ cameras, exploiting a stack buffer overflow and vulnerable application programming interface endpoints.

Together, the attack chain would lead to a complete takeover of the camera with access to the video stream.

Bitdefender was also able to capture the image encryption key and recover the admin password.

The cameras are sold and used in Australia and New Zealand.

Camera firmware version 5.3.0, version 201719, contained the vulnerabilities, but Bitdefender said earlier versions could also be vulnerable. [pdf].

EZVIZ has released fixes for the affected cameras.

Internet-connected cameras have come under attack in recent years.

The Mirai botnet, which was behind some of the biggest distributed denial of service attacks, has been traced to insecure cameras made by Hangzhou Xiongmai Technologies.

Last year, cameras made by Verkada and used by a supplier to Tesla and hundreds of other companies were hacked by Swiss hacktivist Tillie Kottman, exposing images of some 150,000 devices.

Comments are closed.