A dangerous flaw discovered in Popular Hanwha Smart camera’s cloud server architecture that could allow an attacker to perform various malicious activities and to take complete control of the camera by changing the admin level Credentials.
Hanwha is a popular Security Cameras & Surveillance smart camera that capable of capturing video with resolutions of 1920×1080, 1280×720 or 640×360, monitoring sensors, recording sound using inbuilt speaker record audio.
This model has a rich feature list, compares favorably to regular webcams and can be used as a baby monitor, a component in a home security system or as part of a monitoring system.
It is communicating via cloud-based service for the communication to the operator instead of connecting to any computer to passing the users command.
Also, it configures with Wireless hotspot and connects it to the main WiFi router and users can control the camera From smartphones, tablets or computers.
Completely communication data should be only uploaded to the cloud and no other communication between the operator and camera.
A dangerous vulnerability discovered in cloud server architecture that is implemented within this camera allow attacker taking complete control of the cameras that are connected and communicate via the cloud.
According to Kaspersky Experts, One of the main problems associated with the cloud architecture is that it is based on the XMPP protocol. Essentially, the entire Hanwha smart camera cloud is a Jabber server. It has so-called rooms, with cameras of one type in each room. An attacker could register an arbitrary account on the Jabber server and gain access to all rooms on that server.
During to process of communication between camera and cloud, attacker manipulates the user credentials and communicate with the cloud on behalf of an arbitrary camera or control arbitrary cameras via the cloud.
In Attacker point of view, “An interesting attack vector is the spoofing of DNS server addresses specified in the camera’s settings. This is possible because the update server is specified as a URL address in the camera’s configuration file.”
This attack can be possible because of the vulnerabilities that exist in the Hanwha SmartСam cloud architecture.
Once an attacker gains complete control of the camera, they can control the camera’s from the global network.
Also Read: Hackers can use Surveillance Cameras and Infrared Light to Transfer Signals to Malware
List of Discovered Vulnerabilities in Hanwha Camera :
The following vulnerabilities were identified during the Kaspersky research:
- Use of insecure HTTP protocol during firmware update
- Use of insecure HTTP protocol during camera interaction via HTTP API
- An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
- Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
- A feature for the remote execution of commands with root privileges
- A capability to remotely change the administrator password
- Denial of service for SmartCam
- No protection from brute force attacks for the camera’s admin account password
- A weak password policy when registering the camera on the server xmpp.samsungsmartcam.com. Attacks against users of SmartCam applications are possible
- Communication with other cameras is possible via the cloud server
- Blocking of new camera registration on the cloud server
- Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
- Restoration of camera password for the SmartCam cloud account
“Other possible scenarios involve attacks on camera users. The camera’s capabilities imply that the user will specify their credentials to different social media and online services, such as Twitter, Gmail, YouTube, etc. This is required for notifications about various events captured by the camera to be sent to the user.” Kaspersky said.
The flaw has been reported the detected vulnerabilities to the manufacturer. Some vulnerabilities have already been fixed. The remaining vulnerabilities are set to be completely fixed soon, according to the manufacturer.
Fixed vulnerabilities were assigned the following CVEs:
CVE-2018-6294
CVE-2018-6295
CVE-2018-6296
CVE-2018-6297
CVE-2018-6298
CVE-2018-6299
CVE-2018-6300
CVE-2018-6301
CVE-2018-6302
CVE-2018-6303
