Two more low-priced security cameras have been found to have serious security flaws, according to a report from Israeli information-security firm Checkmarx.
The Loftek CXS-2200 and VStarcam C7837WIP, which look nearly identical, contained more than a dozen vulnerabilities between them, many of which would let an attacker take over the camera from the internet.
"The vulnerabilities just kept on coming," the report notes. "A malicious user can exploit your device to track your day-to-day, know when you’re home or out, steal your email information, steal your wireless connection, gain control of other connected devices, use your camera as a bot, listen in to your conversations, record video, and more."
"It is clearly worth spending a bit more money on a more secure camera," the report adds.
We can't put it better; in our experience, it's not worth buying a sub-$100 home security camera as you'll likely be making your home less secure overall.
If you do have one of these models above, make sure it's behind a two-way network firewall, and look over the documentation to see if there's a way to change the default username and password.
Last fall, a massive botnet of internet-connected DVRs and security cameras (though probably not home models) disrupted internet connections in parts of North America. The Checkmarx researchers called the two cameras "fertile ground" for a rerun.
"If your camera is connected, you’re definitely at risk," the Checkmarx report said. "It’s as simple as that."
The VStarcam sells for between $25 and $50 online. The Loftek model is available used on Amazon for $99.99, but other sites indicate that a new model costs between $60 and $70.
Both models seems to run very similar software, which Checkmarx said was called Netwave IP Camera. A global scan using the Shodan search engine turned up 1.2 million devices running that software facing the internet. It's likely that many times more are being used behind firewalls and on internal networks.
Both cameras apparently had the default username, "admin", and default password, "123456", printed on a sticker on their bases. Many cameras suggest that you change those credentials after setup, and some force you to do so. But with these two, the Checkmarx blog said, "there was no recommendation or enforcement for a password change."
The VStarcam enabled remote connections via Telnet, a 1970s-era communications protocol with absolutely no security, but did not mention this fact in the documentation.
You also could hijack the VStarcam by just creating a Wi-Fi network with a name containing a specific command; as soon as the VStarcam saw the network in its list of possible networks, it would send the attacker its administrative username and password.
The Loftek let you send it an HTTP command that would let you remotely create a new administrator account on the device — and make the new account's username a blank space so that it wouldn't show up in the camera's control interface.
Checkmarx said it sent emails in March to both Loftek and Vstarcam informing the manufacturers of the vulnerabilities. "We are yet to receive replies," the report said.
VStarCam is based in China, but Loftek is based in San Jose, California. A telephone call and email to Loftek seeking comment were not immediately returned.