Is it just me, or shouldn’t a security camera be secure out of the box?
I reported this bug to the camera manufacturers a few weeks back along with how to do it, which camera models it affected, and what firmwares they were on (all updated to their latest I’ll note.)
What I got back was questions such as what color was the camera, a note to change the password and authentication methods (derp de derpty derp,) and a lot of the company asking me to do the legwork for them in discovering why their camera lets anyone with the IP address in to see it without a username and password under a default configuration with a changed password.
Should note – this is by default, although I haven’t yet found a workaround to lock my cameras down other than by changing the HTTP port, which is still useless as the camera finder app finds them.
I’m not going to expose the company name yet, but I am going to expose one flaw in a default configuration I discovered and I guess we’ll see how things go from there since they don’t seem willing to fire up their own cameras to test on. You can fire up yours to test on and see if it works for you since all these cameras are manufactured essentially by the same OEM.
The line of code in an HTML for getting a snapshot of what the camera is seeing is: <a href=”http://10.0.4.6/cgi-bin/snapshot.cgi”>this is a camera</a><br> – I encourage you to fire up notepad, save a test.html, and change 10.0.4.6 to your camera’s IP address.
We’ll see how many different brands of cameras this works on since they’re mostly manufactured by the same OEM and companies just slap their logo and modified software on it.
Open that in a browser, you’ll see your link, click said link, you’ll get a thing that says “authentication required” – enter your username and an incorrect password, you’ll get that there’s an error, enter username and no password you’ll get there’s an error.
But, and here’s the fun with this, enter nothing in either field and you’re in and can see what’s on the camera.
This works on three out of five models of camera this company is selling. The snapshot cgi is not authenticating correctly allowing anyone to see what your camera sees.
We’ll see if this gets addressed, and what other cameras it affects, as I have two more flaws I discovered in the default configuration that work on other things significantly worse as well.
