Bitdefender warns of smart IoT camera vulnerabilities

A brand of smart home security cameras used in Australia and New Zealand could be vulnerable to compromise by malicious actors looking to perform actions such as accessing people’s private video feeds, Bitdefender has warned.

Research from the cybersecurity company found that the EZVIZ smart home cameras contain multiple vulnerabilities that could also enable attackers to control cameras or download images from anywhere with an internet connection.

An estimated 10 million installed devices are impacted by the vulnerabilities, which include a stack-based buffer overflow vulnerability that can enable remote code execution in the motion detection routine.

Other identified vulnerabilities include an insecure direct object reference vulnerability in multiple API endpoints, passwords stored in a recoverable format, bypassing encryption, and an improper initialisation vulnerability which could allow attackers to recover administrator passwords.

When daisy-chained, these vulnerabilities allow complete control of the camera system, according to Bitdefender Director of IoT Security Dan Berte.

“Our analysis uncovered several vulnerabilities in the EZVIZ smart devices and their API endpoints that could allow an attacker to carry out a variety of malicious actions, including remote code execution and access to video feed,” he said.

“One of the main features of these devices is the ability to be accessed from anywhere the user has an internet connection. To accomplish this, user-device communication is relayed through servers in the cloud. When the smartphone app needs to contact a device, the cloud servers relay the messages back and forth.”

EZTV has distributed patches for the vulnerabilities, which Berte recommended users of the cameras install as soon as possible.

Image credit: iStock.com/Hispanolistic