Loftek, VStartcam, and other IP-Enabled Security Cameras

The cybersecurity firm Checkmarx has disclosed 21 vulnerabilities in two consumer-grade IP-enabled security cameras manufactured by Loftek and VStartcam. Though neither of the cameras are currently sold, there are purportedly more than one million in use today, 200,000 of which are in the United States. These vulnerabilities could allow a hacker to enlist the cameras into a botnet, remotely turn video recording on or off, and gain control of other devices on the same network. Some of the security vulnerabilities include hardcoded credentials, the inability to update the firmware, no support for HTTPS, and the ability to create new users with administrative privileges. The cameras are also vulnerable to cross-site request forgery, stored cross-site scripting, server-side request forgery, and HTTP response splitting attacks. The Netwave and GoAhead software used in both cameras, and many other low-cost IP-enabled cameras, were the source of most of the vulnerabilities. Additionally, using the search engine Shodan, researchers identified many IP-enabled cameras using the same vulnerable firmware, including Advance, Apexis, Eshine, EyeSight, Foscam, Visioncam, and Wanscan models. The researchers attempted to contact Loftek and VStartcam but have not received replies. The NJCCIC recommends users of the affected products review Checkmarx’s analysis, consider discontinuing their use until or unless software updates are released and, if continued use is necessary, ensure the camera is not exposed to the public internet. When purchasing new IP-enabled cameras or any Internet-of-Things (IoT) devices, always review the security features to ensure, at the very least, that default credentials can be changed and updates can be applied to the software and firmware.