Critical flaws found in Amcrest security cameras

Looking at the spec sheet, it’s not hard to understand why someone in search of an affordable but well-specified home security camera would choose the wireless IPM-721 series from US company Amcrest.

Launched around 2015, it offers 720p HD quality, two-way audio, the ability to pan and tilt, night vision, rounded off with four hours of cloud storage for your video footage at no extra cost.

This week, we learned that the camera had another less welcome characteristic in the form of six security flaws discovered back in 2017 by a researcher at security outfit Synopsys.

The 721 family has since been superseded by newer designs, which doesn’t, of course, mean that the many thousands of people who bought the product will stop using it just because a researcher has turned up security issues.

Those cameras are out there, an unknown number of which are in a vulnerable state that an attacker might identify using the Shodan search engine if they are configured to be accessible via the internet. Ideally, these cameras need to be identified and patched as soon as possible.

There are really three issues in play here – the nature and severity of the flaws, how users should go about updating the firmware to secure their cameras, and why it’s taken until 2019 for owners to hear about them.

The flaws

According to Threatpost, which spoke to the Synopsys researcher who uncovered the flaws, there are six vulnerabilities, now identified as CVE-2017-8226, CVE-2017-8227, CVE-2017-8228, CVE-2017-8229, CVE-2017-8230 and CVE-2017-13719.

We weren’t able to track down an advisory from Amcrest, but Synopsys posted outlines of each on Bugtraq.

Two of these – CVE-2017-8229 and CVE2017-13719 – earn a CVSS score of 9.8 and 10 respectively, which means they are critical issues.

The first allows an unauthenticated attacker to discover the camera’s admin credentials stored in clear text, facilitating a takeover of the device and, presumably including locking legitimate users out of the UI. Worryingly:

Based on cursory analysis of other Amcrest products, this might be prevalent in all the Amcrest IP cameras and also other Amcrest products.

The second is a problem in a stack overflow flaw affecting the camera’s Open Network Video Interface Forum (ONVIF) specification. This, too, could affect other Amcrest IP cameras, allowing devices to be remotely hijacked.

How to update

Reportedly, Amcrest made software patching the flaws some months ago, which would have been offered to owners when they next logged in. However, anyone who didn’t log in during this period would presumably not receive that notification.

According to Synopsis, all firmware versions (models 721S, 721W, 721B) for up to and including V2.420.AC00.16.R 9/9/2016 are vulnerable. On that basis, the firmware version offered on Amcrest’s website, V2.520.AC00.18.R, is the one to look for.

This can be applied manually by logging into the device’s UI, checking firmware versions and accessing Setup > System > Upgrade (you’ll find detailed instructions here).

Why the delay?

As the 2017 date on the CVEs makes clear, Amcrest has known about these flaws for least 18 months or more. It offered updated firmware a few months ago but delayed telling owners about the security aspect of its purpose in order to “give users time to update.”

Our concern with this would be the researcher’s assessment that other Amcrest camera systems might be affected by the two most serious flaws which, if correct, surely deserves a full public advisory.

Assuming users will update when they log in (which many never do) isn’t good enough. Owners need to be told to do this via email or via the company’s Twitter account (@AmcrestSecurity).

Ironically, Amcrest appears to be a responsible vendor by the Internet of Things’ standards where ignoring researchers and failing to offer patches can be the default position for some companies.