Several zero-day vulnerabilities in baby monitors used around the world could allow unauthorized access to cameras and spying on the private lives of users.
Security researchers from Bitdefender discovered several critical flaws in the Internet of Things (IoT) devices made by Victure.
Bitfender has discovered a stack-based buffer overflow flaw in the ONVIF server portion of Victure’s PC420 smart camera. This issue can allow an attacker to execute remote code.
The vulnerabilities affect Victure PC420 firmware versions 1.2.2 and prior. An attacker could exploit this flaw by sending unauthorized feeds to third parties.
“While we cannot envision all the scenarios, we conservatively estimate that a determined hacker could use these vulnerabilities to spy on camera owners in their homes constantly, or allow others to engage in such activity,” said Bogdan Botezatu, director of threat research and reporting at Bitdefender.
Around four million IoT cameras belonging to users of Victure’s cloud platform are affected by the issue.
The security vendor Bitdefender released details of the issues after attempting to contact the company to report their findings:
“We have made multiple attempts to get in touch with the vendor to offer our expertise in fixing these issues, but to no avail. We have decided to publish the research to at least let the users know that they are possibly sacrificing their privacy every minute they keep this device connected to their network.”
Researchers said that users should stop using Victure’s devices immediately. He also advised that parents should focus on security issues and the cost of the device.
“When choosing a baby monitor, the security aspect should trump features or price point. This is because similar vulnerabilities have been used in the past by threat actors to directly communicate with children, thus exposing them to interactions with adults outside the family’s circle of trust,” Botezatu said.
Bitfender researchers said they decided to publish the findings because they wanted potentially affected customers to be aware of the risks that come with such products.
“We have been warning about the dangers of vulnerable video equipment for years and we started this vulnerability research project to help parents protect their privacy, as well as their children’s. Sometimes, vendors choose to ignore these gaping holes and leave customers exposed instead.”