Zero-day vulnerabilities: defuse the violation of an IP camera and its possible impact on a company network

Case study

A single connected device such as an IP camera can be an attractive target for a cyber criminal

In a city or company infrastructure, the IoT attack surface includes all possible security vulnerabilities of connected devices, applications, and networks.

At first sight, an IP camera may seem harmless from a security point of view. However, particularly when connected to an IoT network, it may become an attractive target for a cyber criminal for three main reasons.

First is about privacy: the hacker may be interested in acquiring and analyzing live images of people living or moving in a certain area to learn their habits and behaviors, or get personal sensitive information (faces, car license plates, etc.). Secondly, the violation may grant visibility on the infrastructure to which the camera is connected and pave the way to a network attack. Last but foremost, the breach may also lead to the exploitation of its computational power for crypto mining, or as a node of a command-and-control network called botnet.

Challenge: Two zero-day vulnerabilities were detected on a newly installed IP camera. The company was exposed to a security risk

During a routine security assessment on the IoT network of a customer, Paradox Engineering's cyber security team detected a newly installed device, specifically an IP camera.

A research activity was run to assess if the camera could be considered secure enough for being used and exposed on a public network. The team discovered two zero-day vulnerabilities: as these software vulnerabilities are typically found by researchers or potential attackers before the vendor becomes aware of them, no patches are available for their resolution.

Discovering a zero-day vulnerability requires the adoption of an evil mindset and the expertise to ask the right questions: how many devices offer an attack surface? How deeply is the situation analyzed from the attacker's perspective?

To answer these questions as exhaustively as possible, Paradox Engineering’s cyber security experts leverage a methodological process that is part of the company's cyber security framework.

Solution: The IP camera should be removed, or a firewall should be installed

The analysis confirmed it was not secure to publicly expose the IP camera. The customer was given a detailed view of the risk the company was running. The first vulnerability would have allowed an unprivileged user to create a valid account to access all IP camera commands without being authorized. The second vulnerability was related to the passwords of the IP camera users. By reverse engineering the source code publicly available, it would have been possible to discover the salt used in the hash function which stores user passwords.

Two different solutions were suggested: remove the camera and replace it with a more secure product or install a firewall to limit the access to known IP addresses.

Outcome: The IP camera was removed and security levels were restored

The customer agreed to remove the IP camera to avoid any possible issue.

Taking care of the security monitoring of the company’s IoT network, Paradox Engineering succeeded in early detecting two zero-day vulnerabilities of a newly installed IP camera. The prompt response allowed the customer to mitigate the risk and restore the overall security level.

More information at www.pdxeng.ch.