Bitdefender’s security researchers found a couple of vulnerabilities in the NeosSmartCam IoT devices that would allow attacks to bypass authentication and execute code remotes, opening up new ways to exploit the device.
It’s impossible to overstate the importance of smart security cameras or the value of the content they gather every day. Many consumers install them and forget about an online ‘eye’ that’s always filming in the background. Opening this type of hardware to remote attacks is one of the worst possible scenarios for a smart home.
In an effort to address these issues and make the smart home safer, Bitdefender regularly investigates some of the most popular IoT devices on the market. Security researchers analyzed the NeosSmartCam and found two vulnerabilities that the vendor quickly fixed.
“A vulnerability in device firmware allows a local attacker to bypass the authentication mechanism and gain access to undocumented device features, including root access,” said the security researchers in the paper.
“We can access undocumented features, allowing us to gain root privileges on the device by enabling Telnet and using the root:ismart12 credentials.”
Attackers can exploit the vulnerability remotely or from the LAN network, making it especially dangerous. The second vulnerability allows for a buffer overflow attack that enables third-party users to run commands as root. The functionality can also be accessed remotely, provided the attacker knows the device UID, just like the first one.
The vendor addressed the problem quickly and released firmware version 22.214.171.1241, which fixes both vulnerabilities. The fact that Neos runs a bug bounty program helped a great deal because it allowed both parties to establish a secure communication channel.
As a precaution, make sure that you keep your IoT devices isolated on the home network, connected to a dedicated SSID. If you have smart devices in your house, you should also adopt a powerful network cybersecurity solution such as NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.