Sunday, June 15, 2025
HomeCVE/vulnerabilityHackers Can Remotely Control Your Camera to Monitor and Record All Your...

Hackers Can Remotely Control Your Camera to Monitor and Record All Your Activities

Published on

SIEM as a Service

Follow Us on Google News

A  dangerous flaw discovered in Popular Hanwha Smart camera’s cloud server architecture that could allow an attacker to perform various malicious activities and to take complete control of the camera by changing the admin level Credentials.

Hanwha is a popular Security Cameras & Surveillance smart camera that capable of capturing video with resolutions of 1920×1080, 1280×720 or 640×360, monitoring sensors, recording sound using inbuilt speaker record audio.

This model has a rich feature list, compares favorably to regular webcams and can be used as a baby monitor, a component in a home security system or as part of a monitoring system.

- Advertisement - Google News

It is communicating via cloud-based service for the communication to the operator instead of connecting to any computer to passing the users command.

Also, it configures with Wireless hotspot and connects it to the main WiFi router and users can control the camera From smartphones, tablets or computers.

Completely communication data should be only uploaded to the cloud and no other communication between the operator and camera.

Interaction with the cameras is via the cloud only

A dangerous vulnerability discovered in cloud server architecture that is implemented within this camera allow attacker taking complete control of the cameras that are connected and communicate via the cloud.

According to Kaspersky Experts, One of the main problems associated with the cloud architecture is that it is based on the XMPP protocol. Essentially, the entire Hanwha smart camera cloud is a Jabber server. It has so-called rooms, with cameras of one type in each room. An attacker could register an arbitrary account on the Jabber server and gain access to all rooms on that server.

During to process of communication between camera and cloud, attacker manipulates the user credentials and communicate with the cloud on behalf of an arbitrary camera or control arbitrary cameras via the cloud.

In Attacker point of view, “An interesting attack vector is the spoofing of DNS server addresses specified in the camera’s settings. This is possible because the update server is specified as a URL address in the camera’s configuration file.”

This attack can be possible because of the vulnerabilities that exist in the Hanwha SmartСam cloud architecture.

Once an attacker gains complete control of the camera, they can control the camera’s from the global network.

Also Read: Hackers can use Surveillance Cameras and Infrared Light to Transfer Signals to Malware

List of Discovered Vulnerabilities in Hanwha Camera :

The following vulnerabilities were identified during the Kaspersky research:

  • Use of insecure HTTP protocol during firmware update
  • Use of insecure HTTP protocol during camera interaction via HTTP API
  • An undocumented (hidden) capability for switching the web interface using the file ‘dnpqtjqltm’
  • Buffer overflow in file ‘dnpqtjqltm’ for switching the web interface
  • A feature for the remote execution of commands with root privileges
  • A capability to remotely change the administrator password
  • Denial of service for SmartCam
  • No protection from brute force attacks for the camera’s admin account password
  • A weak password policy when registering the camera on the server xmpp.samsungsmartcam.com. Attacks against users of SmartCam applications are possible
  • Communication with other cameras is possible via the cloud server
  • Blocking of new camera registration on the cloud server
  • Authentication bypass on SmartCam. Change of administrator password and remote execution of commands.
  • Restoration of camera password for the SmartCam cloud account

“Other possible scenarios involve attacks on camera users. The camera’s capabilities imply that the user will specify their credentials to different social media and online services, such as Twitter, Gmail, YouTube, etc. This is required for notifications about various events captured by the camera to be sent to the user.” Kaspersky said.

The flaw has been reported the detected vulnerabilities to the manufacturer. Some vulnerabilities have already been fixed. The remaining vulnerabilities are set to be completely fixed soon, according to the manufacturer.

Fixed vulnerabilities were assigned the following CVEs:

CVE-2018-6294
CVE-2018-6295
CVE-2018-6296
CVE-2018-6297
CVE-2018-6298
CVE-2018-6299
CVE-2018-6300
CVE-2018-6301
CVE-2018-6302
CVE-2018-6303

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Kali Linux 2025.2 Released: New Tools, Smartwatch and Car Hacking Added

Kali Linux, the preferred distribution for security professionals, has launched its second major release...

Arsen Launches AI-Powered Vishing Simulation to Help Organizations Combat Voice Phishing at Scale

Arsen, the cybersecurity startup known for defending organizations against social engineering threats, has announced...

NIST Releases New Guide – 19 Strategies for Building Zero Trust Architectures

The National Institute of Standards and Technology (NIST) has released groundbreaking guidance to help...

Spring Framework Flaw Enables Remote File Disclosure via “Content‑Disposition” Header

A medium-severity reflected file download (RFD) vulnerability (CVE-2025-41234) in VMware's Spring Framework has been...

Credential Abuse: 15-Min Attack Simulation

Credential Abuse Unmasked

Credential abuse is #1 attack vector in web and API breaches today (Verizon DBIR 2025). Join our live, 15-min attack simulation with Karthik Krishnamoorthy (CTO - Indusface) and Phani Deepak Akella (VP of Marketing - Indusface) to see hackers move from first probe to full account takeover.

Discussion points


Username & email enumeration – how a stray status-code reveals valid accounts.
Password spraying – low-and-slow guesses that evade basic lockouts.
Credential stuffing – lightning-fast reuse of breach combos at scale.
MFA / session-token bypass – sliding past second factors with stolen cookies.

More like this

Severe WSO2 SOAP Flaw Allows Unauthorized Password Resets for Any Use

A newly disclosed vulnerability, CVE-2024-6914, has shocked the enterprise software community, affecting a wide...

CISA Alerts on Threat Actors Targeting Commvault Azure App to Steal Secrets

On May 22, 2025, Commvault, a leading enterprise data backup provider, issued an urgent...

Volkswagen Car Hack Exposes Owner’s Personal Data and Service Records

Tech-savvy Volkswagen owner has uncovered critical security flaws in the My Volkswagen app that...