A vulnerability found in Taiwanese manufacturer Edimax’s popular wireless day and night network cameras allows hackers to operate and control the devices remotely because of a hard-coded default password in their firmware.
- New critical vulnerability discovered in Edimax’s wireless day and night network cameras
- The vulnerability allows hackers to operate and control devices remotely
- The devices included a hard-coded default password hackers got access to
- The company apparently did not notify customers about the firmware flaw
- The vulnerability was patched in December
Submitted as CVE-2021-30165 on Taiwan’s Computer Emergency Response Team repository last Monday, the discoverer states that “the attacker may obtain the administrator account password through disassembly [of the firmware] and then control the device.”
After spending a few hours searching, I’ve failed to find an announcement by the company informing end-users of this flaw in their firmware. To Edimax’s credit, it has since patched the vulnerability back in December last year with version 3.12 of its firmware.
However, since customers are uninformed of the situation, people using the manufacturer’s cameras are likely to still be using the older vulnerable version.
We believe security online security matters and its our mission to make it a safer place.
The vulnerability found this week harkens back to 2013 when a massive scandal erupted as a household in Texas found that their baby monitor was hacked and a stranger was speaking to their two-year-old.
In this particular case, the infiltration came as a result of the couple using their device’s default password, which allowed anyone with a little time on their hands to take a peek.
The story then started a conversation about IP cameras and their flaws across hundreds of online publications. Unfortunately, discussions only took a few weeks to fade into the ether.
More recently, a report out of Chinese state news outlet South China Morning Post found that footage found in hacked hotel and home cameras is being sold online by people who manage to get their hands on them. Once again, conversations took place, and a few weeks later, they disappeared.
Since people tend to operate under the presumption that their network access is protected by their routers or can’t be bothered to set a password, one can find a surprising amount of unprotected network cameras just ripe for the taking.
Just look at a list of default passwords like this one and you’ll eventually strike gold. Even without the list, you’ll notice that most manufacturers choose to use the “admin/admin” combo for username and password or not bother to set one.
Any camera on the list I linked to showing “DHCP” as the default IP has a chance of hosting the live feed on a local server, meaning that once you know the port the camera broadcasts on, you can pop in and watch the feed yourself as soon as you figure out the household’s IP address.
Without DHCP, you may have to have physical access to the network. This isn’t hard to get a hold of if it has open WiFi access.
In the case of Edimax, the vulnerability doesn’t take the form of a default password that the user can change. Instead, the password is hard-coded into the firmware, making the consumer unwittingly open their network to external attacks.
If you own an Edimax camera, your only solution to this right now is to update the firmware to the latest version. In the case of the IC-3140W Day & Night Network Camera, you’ll have to download version 3.12 under “Firmware” using this link.
For some inexplicable reason, I also found that while the above US link removed the vulnerable 3.11 version of the device’s firmware, other localized download pages (like the one for UK customers) still host it. It’s how I was able to get my hands on the old BIN file in the first place.
One could look at both, spot the differences between the old and the new one, and then “walk along” the code to find the default password. Including the old version alongside the new one makes it even easier for enterprising hackers to reverse-engineer the firmware.
To mitigate these cybersecurity risks and help promote their customers’ safety, Edimax should remove deprecated versions of its firmware containing this vulnerability and provide messages urging customers to upgrade to 3.12. Wherever possible, the company could also email existing users of its products.
We’re in an era where connectivity and convenience erode privacy, and the need for more security awareness is paramount. Hopefully, by exposing this vulnerability, we can once again initiate the conversation we left hanging in 2013.