Connected IP cameras are ubiquitous. Always connected and readily available from outside of the home, they are the go-to surveillance device. But their constant connection to their cloud means they can be found and hijacked, if vulnerable.
As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program and aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Neos SmartCam and is based on our research of the 4.15.2.133
firmware version.
Note: While research, reporting and patching took place in the last few months of 2020, we had to defer the publication of this report because these vulnerabilities were shared with other platforms and products at the time.
We’d like to thank the security team at Neos for their rapid acknowledgment of issues and rapid delivery of new firmware. Neos is running a bug bounty program, which greatly helped both parties establish a secure communication channel and coordinate further.
4.15.2.311
which fixes both vulnerabilitiesAuthentication bypass with elevation to root
The Neos SmartCam uses the Kalay SDK to communicate with the cloud platform. The TUTK service running on the device normally expects the 0x2710
command during authentication. We have discovered that sending ID 0x2712
and NULL content to the TUTK service instead would bypass authentication.
This lets us access undocumented functionality (such as enabling the telnet service) and authenticate as root. Our proof-of-concept code would bypass authentication and then send another command ( ID 0x2780
) to enable the Telnet service.
Impact: By bypassing authentication, we can access undocumented features, allowing us to gain root privileges on the device by enabling Telnet and using the root:ismart12 credentials. The bypass can be exploited from LAN or remotely, as long as the attacker knows the device UID.
Buffer overflow with remote code execution
The same TUTK component is also vulnerable to a buffer overflow attack. The handler for the TUTK command with ID 0x2776
does not validate the received buffer length. This allows us to overwrite the return address and obtain code execution. Paired with the TUTK authentication bypass described earlier, it lets an attacker exploit any camera remotely, knowing only the device UID.
Our PoC bypasses authentication and then sends the command with ID 0x2776
to exploit the vulnerability and execute the specified command. As the iCamera executable crashes, the watchdog will restart the camera, but we can achieve persistence by modifying the startup script.
Impact: By exploiting this vulnerability, we can run commands as root on the SmartCam device. The functionality can be accessed remotely, provided the attacker knows the device UID.
Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices.
Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.
To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.
tags
The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.”
View all postsJune 08, 2023
May 02, 2023
January 11, 2023
January 05, 2023