Zero-day Flaws in Popular Baby Monitors Give Attackers Access to Camera Feeds

Zero-day Flaws in Popular Baby Monitors Give Attackers Access to Camera Feeds

Several zero-day vulnerabilities in baby monitors used around the world could allow unauthorized access to cameras and spying on the private lives of users.

Security researchers from Bitdefender discovered several critical flaws in the Internet of Things (IoT) devices made by Victure.

Bitfender has discovered a stack-based buffer overflow flaw in the ONVIF server portion of Victure’s PC420 smart camera. This issue can allow an attacker to execute remote code.

The vulnerabilities affect Victure PC420 firmware versions 1.2.2 and prior. An attacker could exploit this flaw by sending unauthorized feeds to third parties.

“While we cannot envision all the scenarios, we conservatively estimate that a determined hacker could use these vulnerabilities to spy on camera owners in their homes constantly, or allow others to engage in such activity,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender.

Around four million IoT cameras belonging to users of Victure’s cloud platform are affected by the issue.

The security vendor Bitdefender released details of the issues after attempting to contact the company to report their findings:

“We have made multiple attempts to get in touch with the vendor to offer our expertise in fixing these issues, but to no avail. We have decided to publish the research to at least let the users know that they are possibly sacrificing their privacy every minute they keep this device connected to their network.”

Researchers said that users should stop using Victure’s devices immediately. He also advised that parents should focus on security issues and the cost of the device.

“When choosing a baby monitor, the security aspect should trump features or price point. This is because similar vulnerabilities have been used in the past by threat actors to directly communicate with children, thus exposing them to interactions with adults outside the family’s circle of trust,” Botezatu said.

Bitfender researchers said they decided to publish the findings because they wanted potentially affected customers to be aware of the risks that come with such products.

“We have been warning about the dangers of vulnerable video equipment for years and we started this vulnerability research project to help parents protect their privacy, as well as their children’s. Sometimes, vendors choose to ignore these gaping holes and leave customers exposed instead.”

Image: Victure

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.