Baby monitors have become essential tools for keeping an eye on kids and nannies when away. Most cameras on the market are packed with features, ranging from real-time or motion-detection recording to two-way communication and anything in between.
As households get increasingly interconnected and crammed with video and audio sensors, privacy becomes more important than ever. At Bitdefender, we care deeply about security and have been working with IoT devices manufacturers to identify vulnerabilities in the world’s best-selling connected devices.
While looking into the Victure IPC360 Camera, we have identified several vulnerabilities that let an outside attacker access the camera feed or disable encryption of streams stored on the cloud.
Additionally, an attacker sharing a network with the camera can enable the RTSP and ONVIF protocols or exploit a stack-based buffer overflow to completely hijack the device.
Vulnerabilities at a glance
- AWS bucket missing access control
- Camera information disclosure
- Remote control of cameras
- Local stack-based buffer overflow leading to remote code execution
- Hardcoded RTSP credentials
Disclosure Timeline
- Nov 03, 2020: Bitdefender makes first contact attempt with vendor through the website contact form and asks for PGP key
- Nov 20, 2020: Bitdefender makes another contact attempt with vendor via email and asks for PGP key Nov 20, 2020. We receive a generic email from a customer support person
- Nov 20, 2020: Bitdefender asks to be forwarded to security department
- Dec 02, 2020: Bitdefender receives generic support email asking for order number
- Dec 03, 2020: Bitdefender attempts one more time to submit vulnerability details
- Aug 5, 2021: Given that we received no answer from the vendor, Bitdefender proceeds with vulnerability disclosure