Monday, 30 June 2014

IP Camera Leaks Your Camera Feed to Anyone - And Also Your Home Wireless Network's Password in Plain Text

Tenvis JPT3815W camera shows your video to anyone without a password. It also reveals the password for accessing your wireless network in plain text. 

These exploits are not related to my previous report where devices shipped with default empty passwords. These exploits exist even with a secure password set. The need for a password is completely bypassed.

Today, I received a message from Dimitris Platis pointing me to his blog post here - https://platis.solutions/blog/2014/06/30/tenvis-jpt3815w-camera-a-cheap-network-camera-if-you-can-afford-the-huge-security-holes/. He had read this very review of the Tenvis JPT3815W IP camera before purchasing and discovering the vulnerability and wanted to let me know about it.

He discovered a serious flaw in the camera that would expose private data to anyone without the need for any credentials.

What kind of private data? Well not only can you view the feed from the camera without a password, but shockingly, you can also retrieve the wireless network's password to which the camera is connected.

It is all explained in his blog post, so please spend the time to read it as I won't repeat it all here. Essentially, if you want to see if you are affected, you can add /snapshot.cgi or /get_params.cgi to the end of your camera's IP address and port.

For instance, if you access your camera at 

http://192.168.1.239:81 usually, try:

http://192.168.1.239:81/snapshot.cgi
http://192.168.1.239:81/get_params.cgi

You SHOULD be prompted to enter your camera's username and password. (If you have previously entered them, trying using the Incognito Mode on your browser) However, on at least one model of camera with a specific firmware, no credentials are needed and both URLs return sensitive data.

Working with Dimitris, he provided me with the URL pointing to this camera. This URL is public to the internet but most of the APIs are protected with HTTP Basic Authentication. The problem is that /snapshot.cgi and /get_params.cgi are not protected with HTTP Basic Auth; they aren't protected at all.

So far, the Tenvis JPT3815W 2014 edition camera is known to be affected:
Hardware Version = 1.10
Firmware Version = 1.1.0.5

I attempted the same exploit on my JPT3815W 2013 edition and it did not exist.

The impact of this is massive. Tenvis use a system of DDNS which users are assigned a very short unique ID to separate them from other users. That means that it is very (VERY!) easy to find other Tenvis users. From there, it is again very easy to test if they are vulnerable to this exploit.

At present, there is no newer version of the firmware available for the 2014 model meaning the only advice I can offer is to ensure you keep the camera protected by not using the DDNS functionality, or better yet, request a refund and turn it off altogether.