For a year I experimented having IP cameras in my house so that if I was away from the house I could watch to see what was happening without having to guess what could be occurring while I was work. However I should have done more research to see if it was viable option before plugging them into the wall and connecting them to the internet. It wasn’t until afterwards that I realized the camera’s which I purchased off of eBay from a Chinese vendor. At the time I had knowledge about third party commercially available spyware to which anyone could purchase with just about any form of payment. Then put it on a phone they want to target and monitor third party having similar capabilities to law enforcement but without the same authorizations. So being aware of that possibility I continued on hoping that I could avoid it seeing as I had purchased a new smartphone at the time. Which was new out of the box and the IP cameras worked with a particular app called iMegaCam which looked pretty sketchy and the reviews on the google play didn’t score well with other people who had purchased the same cameras with the app that worked with them.
Six Months Later……..
After realizing that my smartphone was hacked by me giving out my phone number to a random individual that said he might know someone who has a car for sale. Which indicated to me afterwards that the person who took my number had placed third party commercially available spyware on my phone. Because the few times I left the house and came back from work the cameras had changed there position because they were three hundred and sixty degree capable. When I hadn’t accessed the iMegaCam app those few time it dawned on me that my hacked smartphone to which I gave the number out to an attacker not someone selling a car they didn’t have. Then I realized that IP cameras have serious flaws built into the hardware and the associated software that interacts with the software on the phone itself.
Camera’s Gone and App Uninstalled
After doing some reading from some reputable source to which I will quote and leave the links below to the quoted articles.
HACKED — That is what is shown on all camera displays instead of live feed video for some Hikvision security camera owners. If it happened to you, then say hello to the backdoor in your security camera.
It’s not just happening to Hikvision-branded IP cameras either, as the backdoor is in “many white-labeled camera products sold under a variety of brand names.”
Apparently, enough time has passed for attackers to get into the game. On Sept. 12, security researcher “Monte Crypto” posted the access control bypass in Hikvision IP cameras on the Full Disclosure mailing list.
By analyzing the security of a camera, I found a pre-auth RCE as root against 1250 camera models. Shodan lists 185 000 vulnerable cameras. The “Cloud” protocol establishes clear-text UDP tunnels (in order to bypass NAT and firewalls) between an attacker and cameras by using only the serial number of the targeted camera. Then, the attacker can automatically bruteforce the credentials of cameras.
Don’t waste your money with these cameras and put your private property at risk of being vandalized, stolen or broken into by third party non governmental threat actors.