Zero-day vulnerabilities in Victure baby monitors allow hackers to spy on families remotely. Parents should turn off these devices

Cybersecurity specialists report the detection of a set of severe vulnerabilities in a popular baby monitor whose exploitation would allow hackers to execute arbitrary code on the affected devices. According to the report, prepared by Bitdefender experts, these failures reside in the equipment manufactured by the Chinese company Victure.

Through a security wing, the researchers detailed the detection of stack-based buffer overflow in the ONVIF server component of the Victure PC420 smart camera. This issue would allow threat actors to execute remote code on the affected device, leading to subsequent attack scenarios such as interception of signals transmitted by these devices and compromise of the affected firmware.

Bogdan Botezatu, research director at Bitdefender, says that these devices and their cloud platform are very popular deployments among Internet of Things (IoT) users, so there could be up to 4 million implementations affected. It should be clarified that the fault lies in the Victure PC420 devices with firmware version 1.2.2 and earlier.

The researchers tried to contact Victure to present their findings, although they decided to reveal the flaw after receiving no response: “We made several attempts to contact the provider, although we were unsuccessful,” adds Botezatu.

Considering that the manufacturer seems to be unaccupied with the flaws and that the firmware of these devices has not been updated, users concerned about their safety are advised to completely stop using any Victure equipment: “Threat actors have abused similar flaws on previous occasions, putting at severe risk the minors who are supposed to monitor these monitors,” adds the expert.

Experts point out that evading vulnerability reports is a negligent practice on the part of IoT device manufacturers, as they choose not to release updates, let alone alert users to the security risks related to the affected devices. At the time of writing, the China-based company keeps without answering to the constant requests for information.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.