Vulnerabilities Identified in Neos SmartCam IoT Device

Bitdefender Advanced Business Security

Foreword

Connected IP cameras are ubiquitous. Always connected and readily available from outside of the home, they are the go-to surveillance device. But their constant connection to their cloud means they can be found and hijacked, if vulnerable.

As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program and aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers the Neos SmartCam and is based on our research of the 4.15.2.133 firmware version.

Note: While research, reporting and patching took place in the last few months of 2020, we had to defer the publication of this report because these vulnerabilities were shared with other platforms and products at the time.

We’d like to thank the security team at Neos for their rapid acknowledgment of issues and rapid delivery of new firmware. Neos is running a bug bounty program, which greatly helped both parties establish a secure communication channel and coordinate further.

Vulnerabilities at a glance

  • A vulnerability in device firmware allows a local attacker to bypass the authentication mechanism and gain access to undocumented device features, including root access.
  • A buffer overflow in device firmware allows a remote attacker to execute code on the vulnerable device and exploit it further.

Disclosure timeline

  • November 10, 2020 – Bitdefender makes first contact with the vendor and establishes a secure channel to exchange information about the vulnerability
  • November 11, 2020 – Vendor acknowledges receipt
  • November 12/18, 2020 – Vendor investigates and confirms the vulnerability
  • January 14, 2021 – Vendor releases firmware version 4.15.2.311 which fixes both vulnerabilities
  • April 22, 2022 – Bitdefender publishes this report

Vulnerability walkthrough

Authentication bypass with elevation to root

The Neos SmartCam uses the Kalay SDK to communicate with the cloud platform. The TUTK service running on the device normally expects the 0x2710 command during authentication. We have discovered that sending ID 0x2712 and NULL content to the TUTK service instead would bypass authentication.

This lets us access undocumented functionality (such as enabling the telnet service) and authenticate as root. Our proof-of-concept code would bypass authentication and then send another command ( ID 0x2780 ) to enable the Telnet service.

Impact: By bypassing authentication, we can access undocumented features, allowing us to gain root privileges on the device by enabling Telnet and using the root:ismart12 credentials. The bypass can be exploited from LAN or remotely, as long as the attacker knows the device UID.

Buffer overflow with remote code execution

The same TUTK component is also vulnerable to a buffer overflow attack. The handler for the TUTK command with ID 0x2776 does not validate the received buffer length. This allows us to overwrite the return address and obtain code execution. Paired with the TUTK authentication bypass described earlier, it lets an attacker exploit any camera remotely, knowing only the device UID.

Our PoC bypasses authentication and then sends the command with ID 0x2776 to exploit the vulnerability and execute the specified command. As the iCamera executable crashes, the watchdog will restart the camera, but we can achieve persistence by modifying the startup script.

Impact: By exploiting this vulnerability, we can run commands as root on the SmartCam device. The functionality can be accessed remotely, provided the attacker knows the device UID.

Mitigation

Home users should keep a close eye on IoT devices and isolate them as much as possible from the local or guest network. This can be done by setting up a dedicated SSID exclusively for IoT devices.

Additionally, IoT users can use the free Bitdefender Smart Home Scanner app to scan for connected devices, identify and highlight vulnerable ones. IoT device owners should also make sure that they check for newer firmware and update devices as soon as the vendor releases new versions.

To minimize risks of compromise, smart home users should consider the adoption of a network cybersecurity solution integrated into the router, such as the NETGEAR Orbi or Nighthawk routers powered by Bitdefender Armor.