More than 120,000 Internet of Things cameras online right now can easily be hacked, a security researcher warned at a conference on Friday.
The researcher found that two cameras from Chinese gadget maker Shenzhen Neo Electronic have vulnerabilities that allow hackers to remotely access their video stream, or take full control of the cameras, opening up the possibility that someone could amass an an Internet of Things botnet of around 150,000 devices. Alex Balan, a researcher at security firm Bitdefender who found the flaw, told Motherboard that he tried to warn the company, but he claims it never got back to him. So the the flaws have yet to be fixed, and may never be fixed, he said.
"It's unpatched and unpatchable," Balan told Motherboard in an interview at the Def Con hacking conference in Las Vegas.
The two models of cameras that have vulnerabilities are the NIP-22 and the iDoorbell. But other cameras, from other companies, might have the same bugs because they use the same firmware, according to Balan. There's no mechanism to automatically update or push patches to the cameras, according to Balan.
The two cameras from Shenzhen Neo Electronic are not the first IoT cameras or devices found to be vulnerable. In the last few years, security researchers and malicious hackers have found several flaws in IoT devices such as surveillance cameras, crockpots, stuffed animals, dishwashers, and even dildos. These devices could be hacked individually, of course, but in certain cases hackers have found a way to enlist hundreds of thousands of vulnerable devices in botnets. These botnets have been used to launch distributed denial of service attacks that, in one case, crippled the internet in the east coast of the United States.
Got a tip? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at firstname.lastname@example.org, or email email@example.com
Balan analyzed the two cameras and found two different vulnerabilities. The first one is that the cameras have default username and password combinations that allow anyone to log into them remotely and watch their livestream. As of Friday, there's almost 130,000 vulnerable cameras on Shodan, a search engine for vulnerable internet connected devices. Anyone can hack into the camera's livestream by simply logging in with the username and password combinations "user," "user," and "guest," "guest," Balan told me.
The second bug is a buffer overflow that allows hackers to take control of the cameras remotely, allowing them to turn them into zombie devices part of a botnet, Balan said.
"The worst thing that could happen is kind of a moral problem for me because it could happen after my talk," Balan said, adding that there might be even more vulnerable devices than just 120,000. "Somebody could create a 200,000 botnet with it."
Shenzhen Neo did not immediately answer a request for comment.
By showing off his hack at the hacker's conference Def Con on Friday, Balan hopes to create awareness around IoT flaws—"the gift that keeps on giving," as he put it—and encourage researchers to try and find ways to remotely hack other IoT devices.
"There's no sufficient awareness on mass hacks on IoT," Balan said.
If people keep hacking IoT devices, especially the bad guys, that might change soon.
Get six of our favorite Motherboard stories every day by signing up for our newsletter.