Vulnerabilities with AvertX IP security cameras
These three vulnerabilities were found in models HD838 and 438IR of AvertX used as outdoor surveillance cameras with object-detection and infrared and technology built-in. The users can store the recordings both in the cloud on a Network Video Recorder (NVR) or in a memory card.
The three vulnerabilities that were found and confirmed by AvertX were:
CVE-2020-11625: User enumeration
Faulty web user interface (UI) login attempts lead to varied results when the account doesn’t exist that could enable attackers to use brute force attacks.
CVE-2020-11624: Weak password requirements
The software does not require users to change from the default password. When the user tries to login with the default password the pop shows ‘password has been changed’ but lets the user login.
CVE-2020-11623: Exposed dangerous method or function
An exposed UART interface exists that could be exploited by an attacker with physical access to the UART and change diagnostic and configuration functionalities.
The Impact of these Vulnerabilities
The attackers can use a brute force attack by gaining legitimate accounts as the vulnerability allows to collect valid usernames and once the username is accessed it is easy to gain the password via brute force attack.
Since the camera can be accessed by using the default password- can easily make your camera and machine compromised. And the default password can be as easily accessed by reading a user manual, as a result, can connect to Iot devices.
Physical access to UATR ( universal asynchronous receiver-transmitter) can allow the attacker to change configurations, modify them, or even shut the camera down.
The company AvertX, analyzed the faults and vulnerabilities and have released a patch with proper modifications and removed the UATR connector as well as changed the interface in the later produced batches.
2020 Unit 42 IoT Threat Report showed that security cameras make 5% of Interest Of Things (IoT) devices all over but they cover 33% of security issues related to IoT devices.
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.