Several models of home security cameras from the Chinese firm EZVIZ contain vulnerabilities that could be exploited by hackers to remotely control them and even download images from them.
A recent investigation by the security company Bitdefender found three remote and one local vulnerability in EZVIZ’s cameras. Fortunately, EZVIZ worked together with Bitdefender’s researchers to address these vulnerabilities and issue patches for them in a timely fashion.
However, if you own any of the security cameras listed below, you will need to update them in order to prevent falling victim to any attacks that leverage these vulnerabilities. Here are the model numbers of the affected devices along with their firmware from a vulnerability notice released by EZVIZ:
- CS-CV248 - versions below V5.2.3 build 220725
- CS-C6N-A0-1C2WFR - versions below V5.3.0 build 220428
- CS-DB1C-A0-1E2W2FR - versions below V5.3.0 build 220802
- CS-C6N-B0-1G2WF - versions below V5.3.0 build 220712
- CS-C3W-A0-3H4WFRL - versions below V5.3.5 build 220723
According to its listing on the Google Play Store, the EZVIZ app has been downloaded more than 10 million times, which means that the company has potentially millions of users who could be impacted by these vulnerabilities. Bitdefender also noted in its discussions with Tom’s Guide that other EZVIZ security cameras could also be affected since the company has a large product portfolio and its researchers were unable to test every security camera individually.
Remotely controlling cameras and downloading images
Based on a new whitepaper (PDF) from Bitdefender, we know a bit more about each of the security flaws in question and how they could be exploited by an attacker to remotely take control of vulnerable EZVIZ cameras.
The security firm’s researchers uncovered several vulnerabilities in EZVIZ smart security cameras and their API endpoints that an attacker could leverage to carry out a variety of malicious actions including remote code execution and access to a camera’s video feed.
The first vulnerability (tracked as CVE-2022-2471) was found in the configMotionDetectArea API endpoint. As EZVIZ’s cameras are accessible from anywhere, user-device communication is relayed through servers in the cloud using a number of commands. Bitdefender’s researchers found that they could overload a camera’s local stack buffer to achieve remote code execution in its motion detection routine.
An Insecure Direct Object Reference vulnerability was also found in multiple API endpoints that could be exploited by an attacker to download images and issue commands to an EZVIZ security camera as if they were its owner. Likewise, after downloading images from an affected camera, Bitdefender’s researchers found that although the images were encrypted, they could recover the encryption key for these images using an API endpoint. The endpoint returned a camera’s password in plaintext which allowed the researchers to decrypt and access the images.
The final security flaw discovered by Bitdefender (tracked as CVE-2022-2472) was an improper initialization vulnerability that could be used by an attacker to recover the admin password of a device and completely take it over.
How to protect your EZVIZ cameras from hackers?
After discovering these issues in EZVIZ’s cameras, Bitdefender contacted the firm back in April of this year. EZVIZ promptly responded and then conducted an internal assessment before asking for additional time to fix and patch the vulnerabilities in question.
In a statement to Tom's Guide, an EZVIZ spokesperson provided further insight on how the company worked with Bitdefender to fix these vulnerabilities, saying:
"Over the past months, we have been working transparently and responsively with Bitdefender to patch and verify the successful remediation of the reported vulnerabilities following the standard Coordinated Disclosure Progress. As a company with “safety” in our DNA, EZVIZ is committed to continuing to work with third-party ethical hackers and security researchers to find, patch, disclose and release updates to products in a manner that best protects our users and their homes."
At the time of writing, all of these vulnerabilities have been addressed in the latest firmware which EZVIZ users can download via the EZVIZ app. However, the company’s customers also should have received a push notification with the updated firmware. If you haven’t updated your EZVIZ security cameras yet, you should do so immediately as hackers may still try and craft exploits that leverage these now patched security flaws.
Outdoor security cameras can be a great deterrent that can help keep you and your family safe. However, if accessed by hackers, they could end up doing more harm than good while compromising both your security and your privacy.
Next: I’m testing Roku’s new security cameras — and this is one feature I really like.
