Serious security flaws uncovered in Cacagoo IP cameras.
Avira’s Internet of Things (IoT) Research Lab routinely tests various IoT devices to make sure they are safe for general use. We know that the IoT threat landscape is evolving and that IoT devices often contain security flaws/vulnerabilities that can open doors to attacks. As IP cameras play an important role in smart homes and offices, ironically often with the express purpose of enhancing security, we closely research IP camera flaws/vulnerabilities without targeting any specific company or vendor. During our assessment of various IoT devices, we got our hands on a Cacagoo IP camera. We found vulnerabilities that not only lets attackers intercept and view recorded videos, but also enables them to manipulate the device itself as well as other devices within the same network. Our aim is not to damage the reputation of any product, company, or manufacturer, but merely to conduct research and inform vendors about findings so that they can be patched on time, thereby protecting users and products from being compromised.
- The telnet service can be exploited by a brute-force password attack (i.e. log in: root password: cxlinux) — CVE-2020-6852
- Weak authentication of the RTSP service has been uncovered (no password required) — CVE-2020-9349
- Suspicious behavior has been detected where data is posted to a random Chinese domain
Device Specification: Cacagoo IP camera
Device Name: CACAGOO Cloud Storage Intelligent Camera
Manufacture: Shenzhen TOMTOP Technology Co., Ltd.
Firmware Version: 3.4.2.0919
Application: YCC365 plus
Application Version: 3.1042.9.8733
Manufacturer Mailing Address: G-4 Zone 5/F, No.1 Exchange Square, Huanan City, Pinghu Town Longgang District, Shenzhen, Guangdong, China
Email Address: firstname.lastname@example.org
Importer Name: FISHING KING, SLU
Importer Address: PIEDRABUENA,4,4B, MADRID, 28026 Spain
Exploiting the telnet service.
We used nmap to see which services are being run on the device (i.e. nmap -sV <device_ip>). We observed that telnet, HTTP, and RTSP services are running.
We attempted to access the telnet session using a Metasploit module to perform a brute-force attack on the custom user-password list. In doing so, we managed to log in to the telnet session with root privileges. Here are the screenshots:
Cacagoo IP Camera screenshots
Penetrating and Exploiting other systems in the network using the camera
We also observed that ftpget is available in the camera and an attacker can use it to download and install any malware or place a backdoor after having telnet access. To replicate the real-world attack scenario, we placed a backdoor in the camera which can further penetrate the network to scan for other accessible or vulnerable systems and exploit them. Attackers can send commands to these systems and use these cameras for CnC (command and control).
Weak authentication of the RTSP service of the camera (no password required)
We observed that the RTSP service is running on port 554 and 8001. We ran our local arsenal of tools to fetch RTSP credentials and routes. After running the tools, we noticed a username password field. We browsed the RTSP in VLC to see if we could view a live video stream. We opened VLC and browsed rtsp://192.168.1.189:8001/
We encountered an RTSP authentication pop-up message. We entered admin as the username while leaving the password field empty. To our surprise, we could view a LIVE video stream! We recorded the packet streams to get the packets that were being transferred. Below are the output and authentication screenshots before the RTSP packets are sent.
By looking at the traffic, it is clear that authentication is visibly weak. “YWRTAW46” is a Base64-encoded format of username: password. Weak authentication in the RTSP protocol is indeed a security flaw, as an intruder can capture sensitive video/audio by exploiting it.
Unencrypted audio/video in the camera network traffic
Furthermore, video/audio traffic is also unencrypted as per the traffic and images shown below. Besides weak RTSP authentication, it would have been good if the traffic was encrypted or used SRTSP instead so that if an intruder captures the audio/video traffic, it wouldn’t allow the intruder to view the stream.
Suspicious behaviour detected whereby the camera posted random data to a Chinese domain
During our network behavioral analysis of the device, we observed suspicious behavior while analyzing the YCC365 — plus app traffic which really caught our attention. The traffic is as below:
The domain is resolved to 220.127.116.11. It was noted that the app tries to connect to a random Chinese domain (ebjvu[.]cn) on that IP address. The info is being leaked through the app, which is suspicious and can be considered a security flaw.
As the research shows, there are serious security issues with this device and its web interface. These definitely need to be fixed to improve security before access falls into the wrong hands. Here are a few of our recommendations:
- Close the telnet service as the open telnet service is vulnerable to brute-force attacks.
- Fix weak authenticated RTSP access.
- Establish a strong password mechanism to avoid attackers getting access to the live video feed.
- Block the sending of data to a random website.