Bad news for owners of Ezviz devices. Bitdefender cybersecurity experts have indeed revealed some critical vulnerabilities in Ezviz cameraswhich could put consumer privacy at risk.
Experts advise to update the software immediatelyapplying the update patches made available free of charge by the manufacturer.
Ezviz cameras: the security vulnerabilities found
Bitdefender’s research reveals that hackers, exploiting several vulnerabilities, were able completely compromise the cameras, by accessing the feed of the camera itself. Thus, cybercriminals would be able to steal device images, inject malicious code and recover stored passwords. They are estimated to have been hit over 10 million devices.
During its investigation Bitdefender worked closely with the manufacturer Ezviz, who immediately released patches for the software update.
Specifically, the vulnerabilities found concern:
- Stack-Based Buffer Overflow: can lead to remote code execution during the motion detection procedure. (Remote)
- Insecure Direct Object Reference in più endpoint API: allows a hacker to retrieve images and issue commands on behalf of the real owner of the camera. (Remote)
- Storing Passwords nel formato Recoverable (in [3}/api/device/query/encryptkey): consente a un hacker di recuperare la chiave di crittografia delle immagini. (Remoto)
- Improper Initialization permette a un hacker di recuperare la password di amministratore e di prendere il pieno possesso del dispositivo. (Locale)
Le criticità sono state riscontrate sui seguenti modelli di dispositivi di videosicurezza EZVIZ:
- CS-CV248 [20XXXXX72] – V5.2.1 build 180403
- CS-C6N-A0-1C2WFR [E1XXXXX79] – V5.3.0 build 201719
- CS-DB1C-A0-1E2W2FR [F1XXXXX52] – V5.3.0 build 211208
- CS-C6N-B0-1G2WF [G0XXXXX66] – v5.3.0 build 210731
- CS-C3W-A0-3H4WFRL [F4XXXXX93] – V5.3.5 build 220120
Leave a Reply
View Comments