Critical IoT Camera Flaw Allows Device Hacking

Security researchers have discovered another critical bug in IoT security camera systems that could allow attackers to hijack devices.

Nozomi Networks found a remote code execution vulnerability CVE-2021-32941 in the web service of the Annke N48PBB Network Video Recorder (NVR) – used by consumers and businesses.

NVRs are an important part of any connected security camera system, as they are designed to capture, store, and manage incoming video streams from IP cameras.

If exploited, the vulnerability could cause a stack-based buffer overflow, allowing an unauthenticated remote attacker to access sensitive information and execute code, according to an ICS advisory of the Cybersecurity and Infrastructure Security Agency (CISA).

Nozomi Networks said this could result in loss of device privacy, integrity and availability. In practice, this means allowing attackers to spy on or delete footage, change the alarm configuration of motion detectors, or stop recording altogether.

As such, a cyber attack exploiting CVE-2021-32941 could be used to support physical thefts from premises protected by Annke devices.

The bug itself could be exploited directly by attackers to elevate privileges on the system and indirectly in download attacks.

“It only takes an administrator, operator or user to browse a specially crafted web page, while simultaneously logged into the device’s web interface, to potentially cause the execution of external malicious code on the device.” -same. ” Nozomi warned.

Fortunately, Annke acted quickly to fix the issue, releasing new firmware to correct the problem just 11 days after Nozomi’s responsible disclosure.

This is the second critical flaw affecting IoT cameras that Nozomi Networks has found this summer. In June, he warned of a bug in a popular software component from ThroughTek, which OEMs use to make IP cameras and baby and pet surveillance cameras.

It could also have allowed attackers to listen to users.

Another vulnerability was discovered on ThroughTek’s Kalay platform last week, potentially affecting millions of devices.

Comments are closed.