What started as an analysis of a simple security flaw in a random wireless IP camera turned into seven vulnerabilities that affect over 1,250 camera models and expose nearly 200,000 cameras to hacking.

The flaws affect a generically named product called Wireless IP Camera (P2P) WIFICAM, manufactured by a (currently unnamed) Chinese company, who sells it as a white-label product to several other camera vendors.

Blame falls solely on original Chinese vendor

Security researcher Pierre Kim says the firmware produced by this Chinese vendor comes with several flaws, which have all made their way down the line into the products of other companies that bought the white-label (unbranded) camera. In total, nearly 1,250 camera models based on the original camera are affected.

At the heart of many of these issues is the GoAhead web server, which allows camera owners to manage their device via a web-based dashboard.

Initially, Kim reported the security issues he found to Embedthis Software, the makers of GoAhead, but the company said the flaws had been introduced by the Chinese camera manufacturer, who tinkered with the server's code before adding it to the camera's firmware.

Backdoor, root-level RCE, firewall bypass - all included

According to Kim, the cameras are affected by a total of seven security flaws. The biggest ones are listed below.

Backdoor account - Telnet runs by default, and everyone can log in with the following credentials.

root:$1$ybdHbPDn$ii9aEIFNiolBbM9QxW9mr0:0:0::/root:/bin/sh

Pre-auth info and credentials leak - An attacker can bypass device authentication procedures by providing empty "loginuse" and "loginpas" parameters when accessing server configuration files. This allows the attacker to download device configuration files without logging in. The configuration files contain credentials for the device, and its FTP and SMTP accounts.

Pre-auth RCE as root - An attacker can bypass the authentication procedure and execute code on the camera under the root user just by accessing an URL with special parameters.

Streaming without authentication - An attacker can access the camera's built-in RTSP server on port 10554 and watch a live video stream without having to authenticate

Cloud - The camera provides a "Cloud" feature that lets customers manage the device via the Internet. This feature uses a clear-text UDP tunnel to bypass NATs and firewalls. An attacker can abuse this feature to launch brute-force attacks and guess the device's credentials. Kim says this Cloud protocol was found in multiple apps for multiple products, and at least 1,000,000 devices (not just cameras) seem to rely on it to bypass firewalls and access closed networks where devices are located, effectively defeating the protection those private networks provide.

Nearly 200,000 vulnerable cameras available online right now

Yesterday, Kim said that around 185,000 vulnerable cameras could be easily identified via Shodan. Today, the same query yields 198,500 vulnerable cameras.

"I advise to IMMEDIATELY DISCONNECT cameras [from] the Internet," Kim said in a blog post. "Hundreds of thousands [of] cameras are affected by the 0day Info-Leak. Millions of them are using the insecure Cloud network."

Proof-of-concept exploit code for each of the seven flaws is available on Kim's blog, along with a list of all the 1,250+ vulnerable camera models.

Yesterday, Bleeping Computer ran a story on a similar flaw in Dahua IP cameras and DVRs, which allowed the attacker to download the configuration file just by accessing an URL. Dahua is not listed in Kim's list of vulnerable camera models.

UPDATE: Shortly after our article went live, Bleeping Computer was contacted by Cybereason security researcher Amit Serper, who pointed out that both Cybereason (2014) and SSD (2017) had discovered similar flaws to the ones Kim found, not identical, but with similar results. In fact, Cybereason had tried to notify affected vendors since 2014, and published their findings in late 2016. The company went public to raise awareness to unsecured IoT devices after the DDoS attacks on Dyn and KrebsOnSecurity were carried out mainly via DVRs and IP cameras.