Firedome Discloses 0-Day Vulnerabilities in Yale IP Cameras
This January, Firedome Labs’ research team identified and disclosed several 0-day vulnerabilities in Yale branded smart IP cameras that would make them susceptible to hackers to take over full control of their devices. Firedome worked directly with Yale to explain the vulnerabilities, which Yale was able to patch within weeks and is now no longer a threat.
The identified vulnerabilities were in the firmware for the Yale WIPC-301W IP camera, which our team found to be susceptible to Remote Code Execution vulnerabilities in its local web server, which enables a hacker to gain full control over the device (e.g. breaching user’s privacy and sensitive personal information by viewing video feed, stealing files, disabling & bricking devices, installing ransomware, gaining remote command shell with root (highest) permissions, etc).
Using the exploited vulnerability, Firedome was able to install the Firedome Endpoint Protection Agent on the vulnerable device, which patched the vulnerability, using advanced cyber threat detection, response, and prevention mechanisms, effectively making it immune to the vulnerability, and to more unknown vulnerabilities that potentially exist in the system. Likewise, a hacker could have exploited it the same way in order to install malware or steal private data.
Firedome’s research team then dug further to estimate the scale of the vulnerability by scanning the internet for other devices with similar flaws, finding several other companies that use the same base firmware, and therefore are very likely to be susceptible to attacks in the same way.
We found the overall reach quite concerning, with 45K vulnerable devices worldwide using the vulnerable FW versions (2.x.2.29 to 2.x.2.43_p1). Furthermore, since the scan only covered devices with direct internet access (which excludes devices behind NAT), the actual number of vulnerable devices is estimated to be much higher.
The camera is running an HTTP web interface, accessed through port 88, and communicates with the local lighttpd web server which passes on API commands through a FastCGI interface. Although the web interface is local, it can be easily exposed to the internet via UPnP, Port Forwarding, etc, as we will demonstrate in the summary to follow.
While the Web UI itself cannot be used from a web browser (We suspect the UI interface was disabled by Yale in order to allow using the camera only from the mobile app), the web server’s API is still processing incoming HTTP requests, meaning it’s still susceptible to potential attacks. Furthermore, the communication lacks HTTPS encryption, meaning an unsecured plain-text channel is used. The device’s credentials themselves are also passed in plain-text in every API command to the web server.
For more specific technical details, please see the full vulnerability report.
“Firedome LABS research team identified a vulnerability in the Yale WIPC-301W IP camera IoT device that is currently being phased out of the market.
The minor issue has been resolved and measures have been put in place to prevent a similar accordance.
We can confirm that our customers data was not compromised and that the system is secure.
Many companies like Firedome, are actively testing for vulnerabilities in smart residential products across the industry. The team at Firedome acted with speed and professionalism to notify us of the issue which was rectified by our team.
We take security and data protection very seriously and are continuously striving to improve our processes and procedures.”
To learn more about how Firedome’s proactive IoT cybersecurity can help protect you against similar vulnerabilities, while opening up revenue opportunities from Security Leadership positioning, contact us.
This blog was co-written by Dor Alt, who discovered these vulnerabilities. Prior to his Security Researcher role at Firedome, Dor held R&D and network engineering positions at various confidential offensive cyber-security companies. Dor has 10 years of experience in various roles in the cyber security domain.