FLIR Systems Thermal Imaging Cameras

Security Researcher Gjoko Krstic of Zero Science Labs discovered hard-coded SSH credentials in FLIR Systems thermal imaging cameras that could be used by threat actors to gain unauthorized access to the affected devices. Krstic also found four other vulnerabilities, the most severe of which could provide threat actors with root privileges. The affected camera models include: FC-Series S (FC-334-NTSC), FC-Series ID, FC-Series R, PT-Series (PT-334 200562), D-Series, and F-Series. The proof-of-concept code and the hardcoded credentials have been made publicly available. The NJCCIC recommends all users and administrators of the affected cameras review Krstic’s report, place cameras behind a firewall to prevent external access, and update the device if a patch becomes available.