IoT home security camera allows hackers to listen in over HTTP

Unauthenticated, remote snooping is possible over the Internet.
Unauthenticated, remote snooping is possible over the Internet.

Security researchers have uncovered a security flaw in a popular home security camera which permits remote spying without any form of authentication. 

This week, researchers from cybersecurity firm Tenable said the Amcrest IP2M-841B IP camera, available on Amazon and subject to 12,000 customer reviews — many of which are positive — contained a serious bug which is “trivial” to exploit. 

The Amcrest camera is advertised as a full-HD 1080p camera capable of low-light footage capture. The developers of the device say that the camera can be used via smartphone and a PC, and footage can also be sent to the cloud via subscription. 

Within the camera’s description, Amcrest says that a number of security features have been implemented, including “SSL/HTTPS connection, wireless AES/WPA2 encryption, [a] FCC and UL camera certificate, and regular security firmware updates.”

However, in a Medium blog post, researchers say a glaring issue has been missed — the possibility of eavesdropping on a user’s audio streams. 

The vulnerability, now assigned as CVE-2019–3948, was found after an examination of the device’s firmware. 

Tenable’s Jacob Baines said that he was able to remotely listen to the camera’s audio feed over HTTP without any form of authentication. 

“The Amcrest IP2M-841B IP camera firmware version V2.520.AC00.18.R does not require authentication to access the HTTP endpoint /videotalk,” the vulnerability’s description reads. “An unauthenticated, remote person can connect to this endpoint and listen to the audio the camera is capturing.”

To exploit the bug, it only takes an attacker to point their browser or a tool such as VLC to the endpoint, and a simple script can be used to extract audio footage. 

If connected to the Internet, the researcher says, the camera essentially becomes “anyone’s listening device.”

The camera, a rebranded Dahua device, was also susceptible to CVE-2017-7927, an authentication bypass issue. 

Tenable reached out with its findings in May. Amcrest acknowledged the existence of both vulnerabilities and developed a suitable patch. The public disclosure was pushed back until 29 July, and a firmware update was made available on the same day. 

Amcrest has not responded to requests for comment at the time of publication.


Please enter your comment!
Please enter your name here