Zero day vulnerability to spy on Yale IP cameras

A few months ago, cyber security consulting from Firedome Labs identified and revealed multiple day-zero vulnerabilities present in Yale’s smart IP cameras; according to experts, exploiting these flaws would expose these devices to threat actors. The vulnerabilities have already been fixed by the company.

The vulnerabilities resided in the firmware of the Yale WIPC-301W IP camera. The team of researchers considered this device to be susceptible to the execution of remote code execution vulnerabilities on the local web server, so a threat actor could gain full control over the device to extract files, enabling or disabling specific functions and even installing ransomware.  

By exploiting the vulnerability, cyber security consulting experts were able to install the Firedome Endpoint Protection Agent on the vulnerable device, which patched the vulnerability, using advanced threat detection, response, and prevention mechanisms and making it immune to vulnerability. Similarly, a malicious hacker could exploit the flaw to install malware or steal sensitive information.

After performing a thorough scan on the Internet, Firedome’s research team discovered that some other companies use the same base firmware, so it is very likely that they are susceptible to attacks of the same nature. Researchers found nearly 45,000 devices using vulnerable versions of FW (2.x.2.29 to 2.x.2.43_p1) worldwide. In addition, since scanning only covers devices with direct Internet access, the actual number of vulnerable devices is estimated to be much higher.

The camera is running an HTTP web interface, which is accessed through port 88, and communicates with the lighttpd local web server that passes API commands through a FastCGI interface. Although the web interface is local, it can be easily exposed on the Internet via UPnP, port forwarding, and more.

According to cyber security consulting experts, while the web user interface cannot be used from a web browser, the web server API still processes incoming HTTP requests, so it is still at risk of attack. In addition, communication does not have HTTPS encryption, so an unsecured plain text channel is used. Device credentials are also passed in plain text in each API command to the web server.

Additional technical details are available in the full vulnerability report. For further reports on vulnerabilities, exploits, malware variants and computer security risks you can access the website of the International Institute of Cyber Security (IICS), as well as the official platforms of technology companies.