Unremovable Backdoor Accounts in FLIR Thermal Security Cameras

Discussion in 'Networking and Wireless' started by hmscott, Oct 22, 2017.

  1. hmscott

    hmscott Notebook Nobel Laureate

    Reputations:
    3,627
    Messages:
    13,488
    Likes Received:
    15,609
    Trophy Points:
    931
    Researcher Finds Unremovable Backdoor Accounts (and more!!) in FLIR Thermal Security Cameras
    https://www.bleepingcomputer.com/ne...or-accounts-in-flir-thermal-security-cameras/

    "UPDATE [October 17, 15:35 ET]: FLIR has told Bleeping Computer that it issued security updates for the flaws reported above. Customers can download the firmware updates and installation instructions from this page."

    "Gjoko Krstic, a security researcher with Zero Science Labs, has discovered secret hard-coded accounts in thermal security cameras manufactured by FLIR Systems, Inc., one of the largest vendor of such products.

    According to Krstic, the backdoor accounts "are never exposed to the end-user and cannot be changed through any normal operation of the camera.""

    "The hard-coded credentials affect the following FLIR thermal camera series:
    FC-Series S (FC-334-NTSC)
    FC-Series ID
    FC-Series R
    PT-Series (PT-334 200562)
    D-Series
    F-Series

    Depending on the FLIR camera version, the following username-password combos will grant an attacker access over the device.
    root:indigo
    root:video
    default:video
    default:[blank]
    ftp:video

    Besides the secret backdoors, Krstic also found four other vulnerabilities:
    Stream Disclosure — attackers can access the security camera's stream without needing to authenticate.
    Remote Root Exploit — attackers can execute code on vulnerable cameras with root privileges.
    Authenticated OS Command Injection — attackers with access to limited accounts can inject commands and have them executed with root privileges.
    Multiple Information Disclosures — attackers can access/query certain camera files and read other local resources."

    "No response from vendor
    The researcher reported the vulnerabilities to FLIR, via the Beyond Security's managed disclosure program, but neither he or Beyond Security received a response from FLIR regarding the issues.

    In late September, Krstic published proof of concept code for all the issues he reported [1, 2, 3, 4, 5].

    Two days ago, Depth Security also published research on other vulnerabilities in FLIR products the company failed to patch.

    There are several ways that FLIR customers can protect themselves. The easiest one is to prevent access to these cameras from the Internet by placing the devices behind a firewall until the vendor issues a patch."
     
    Tinderbox (UK) and Vasudev like this.
Loading...

Share This Page