Newly discovered vulnerabilities in a model of popular baby monitor could allow an outside attacker to access the camera feed or disable encryption of streams stored on the cloud.
Bitdefender uncovered the holes in the Victure IPC360 Camera used in the baby monitor, and has published details in a paper titled "Cracking the Victure IPC360 Monitor."
"In addition to access to the camera feed, an attacker sharing a network with the camera could also enable the RTSP and ONVIF protocols or exploit a stack-based buffer overflow to completely hijack the device," Bitdefender researchers wrote.
The list of vulnerabilities found in the model include:
- AWS bucket missing access control
- Camera information disclosure
- Remote control of cameras
- Local stack-based buffer overflow leading to remote code execution
- Hardcoded RTSP credentials
The researchers attempted to reach out to Victure multiple times in 2020 to alert them about their findings, but Bitdefender only received generic responses from the company. So they decided to proceed with the vulnerability disclosure this month.
The IPC360 cloud platform serves several other camera models as well, including the Mibao Wireless IP Outdoor Camera, the Akaso P50, and the Robicam Waterproof 360.
“We estimate that these vulnerabilities are affecting more than 4 million devices worldwide,” says Bitdefender in a release on the findings.
The full research report is available here.