Alert: Avoid These Security Cameras Like the Plague

Two more low-priced security cameras have been found to have serious security flaws, according to a report from Israeli information-security firm Checkmarx.

The VStarcam C7837WIP. Credit: VStarcam

(Image credit: The VStarcam C7837WIP. Credit: VStarcam)

The Loftek CXS-2200 and VStarcam C7837WIP, which look nearly identical, contained more than a dozen vulnerabilities between them, many of which would let an attacker take over the camera from the internet.

"The vulnerabilities just kept on coming," the report notes. "A malicious user can exploit your device to track your day-to-day, know when you’re home or out, steal your email information, steal your wireless connection, gain control of other connected devices, use your camera as a bot, listen in to your conversations, record video, and more."

"It is clearly worth spending a bit more money on a more secure camera," the report adds.

We can't put it better; in our experience, it's not worth buying a sub-$100 home security camera as you'll likely be making your home less secure overall.

If you do have one of these models above, make sure it's behind a two-way network firewall, and look over the documentation to see if there's a way to change the default username and password.

MORE: Best Wireless Security Cameras

Last fall, a massive botnet of internet-connected DVRs and security cameras (though probably not home models) disrupted internet connections in parts of North America. The Checkmarx researchers called the two cameras "fertile ground" for a rerun.

"If your camera is connected, you’re definitely at risk," the Checkmarx report said. "It’s as simple as that."

The VStarcam sells for between $25 and $50 online. The Loftek model is available used on Amazon for $99.99, but other sites indicate that a new model costs between $60 and $70.

Both models seems to run very similar software, which Checkmarx said was called Netwave IP Camera. A global scan using the Shodan search engine turned up 1.2 million devices running that software facing the internet. It's likely that many times more are being used behind firewalls and on internal networks.

Both cameras apparently had the default username, "admin", and default password, "123456", printed on a sticker on their bases. Many cameras suggest that you change those credentials after setup, and some force you to do so. But with these two, the Checkmarx blog said, "there was no recommendation or enforcement for a password change."

The VStarcam enabled remote connections via Telnet, a 1970s-era communications protocol with absolutely no security, but did not mention this fact in the documentation.

You also could hijack the VStarcam by just creating a Wi-Fi network with a name containing a specific command; as soon as the VStarcam saw the network in its list of possible networks, it would send the attacker its administrative username and password.

The Loftek let you send it an HTTP command that would let you remotely create a new administrator account on the device — and make the new account's username a blank space so that it wouldn't show up in the camera's control interface.

Checkmarx said it sent emails in March to both Loftek and Vstarcam informing the manufacturers of the vulnerabilities. "We are yet to receive replies," the report said.

VStarCam is based in China, but Loftek is based in San Jose, California.  A telephone call and email to Loftek seeking comment were not immediately returned.

TOPICS
Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.