Amcrest home security camera contains flaw that lets hackers listen to audio feeds using a web browser
- An Amcrest branded security camera was found to contain a serious flaw
- The bug let anyone tap into audio from the device without authentication
- Researchers say the cam is rebranded from Dahua, a banned Chinese company
- A patch has been issued after being pointed out and the firmware was updated
Security researchers have found a major flaw in a popular home security camera that could let hackers tune into audio streams.
The flaw affects the Amcrest IP2M-841B IP camera, an internet-connected security cam sold on Amazon and the subject of more than 12,000 consumer reviews.
The camera is capable of capturing video in 1080p and can be used with a smartphone and a PC. Footage can also be uploaded to the cloud with a subscription.
Researchers say a popular home security camera contained a flaw that allowed others to tap into audio feeds without authentication.
Amcrest offers an array of home security cameras, including one that has more than 12,000 consumer reviews on Amazon.
Researchers at the security firm Tenable say they discovered a serious bug in the products firmware which allows hackers to listen into audio over HTTP without authentication.
To make matters worse, researchers describe the flaw as ‘trivial’ meaning all that needs to be leveraged to exploit the bug is a simple media playing tool like VLC or a browser.
Once directed at the ‘endpoint,’ a script is able to extract the audio feed from the camera say researchers.
‘Connecting to the audio stream is trivial. Simply point your browser or a tool like VLC at the videotalk endpoint,’ write the researchers in a post on Medium.
Upon further inspection, researchers also note that Amcrest cameras are ‘clearly rebranded Dahua’ cameras.
Dahua, a chinese company, has been a recent target of lawmakers in the U.S. who banned the usage of their cameras last year due to concerns over spying.
According to Bloomberg, in 2017, Dahua’s cameras were found to contain a backdoor that let unauthorized users tap into the camera’s stream and send data to China.
Thousands of the cameras are still installed, despite the ban which slated a deadline for complete removal on August 13 this year.
Tenable said that it reached out to Amcrest about its findings in May and Amcrest developed a patch for the camera as a result.
According to ZDNet, the public disclosure of the bug was pushed to July 29, the same day Dahua issued a firmware update.
For those worried about their own home security devices, researchers at Tenable have some sage advice,
‘As usual, don’t expose your cameras to the internet and be wary of your IoT devices in general,’ wrote researchers.
