Vulnerabilities Identified in EZVIZ Smart Cams

Bitdefender

September 15, 2022

Promo Protect all your devices, without slowing them down.
Free 30-day trial
Vulnerabilities Identified in EZVIZ Smart Cams

As the creator of the world’s first smart home cybersecurity hub, Bitdefender regularly audits popular IoT hardware for vulnerabilities that might affect customers if left unaddressed. This research paper is part of a broader program that aims to shed light on the security of the world’s best-sellers in the IoT space. This report covers several camera models manufactured by EZVIZ. Full details are included in the research paper below:

Download the research paper

Vulnerabilities at a glance

  • [REMOTE] Stack-Based Buffer Overflow Vulnerability can lead to remote code execution in the motion detection routine – CVE-2022-2471
  • [REMOTE] Insecure Direct Object Reference vulnerability in multiple API endpoints allows an attacker to fetch images and issue commands on behalf of the real owner of the camera [2]
  • [REMOTE] Storing Passwords in a Recoverable Format vulnerability in [3] /api/device/query/encryptkey allows an attacker to recover the encryption key for images
  • [LOCAL] Improper Initialization vulnerability lets an attacker recover the administrator password and completely own the device - CVE-2022-2472

Affected camera models

The vulnerabilities were found on firmware version V5.3.0 build 201719 (previous versions might also be vulnerable but untested). Affected device models are listed in the table below – please note that there may be other device models and integrations that we have not tested:

  • CS-CV248 [20XXXXX72] - V5.2.1 build 180403
  • CS-C6N-A0-1C2WFR [E1XXXXX79] - V5.3.0 build 201719
  • CS-DB1C-A0-1E2W2FR [F1XXXXX52] - V5.3.0 build 211208
  • CS-C6N-B0-1G2WF [G0XXXXX66] - v5.3.0 build 210731
  • CS-C3W-A0-3H4WFRL [F4XXXXX93] - V5.3.5 build 220120

Disclosure timeline

  • Apr 15, 2022: Bitdefender makes an initial contact attempt via multiple public communication channels
  • Apr 16, 2022: Acknowledgement received; vendor requests additional information through OneDrive
  • Apr 18, 2022: Bitdefender submits documentation and proof of concept
  • Apr 20, 2022: Report received and acknowledged by the vendor
  • May 05, 2022: Vendor informs that internal assessment is in progress
  • May 10, 2022: The vendor requests a 90-day extension for vulnerability fixing and patching
  • May 16, 2022: Vendor communicates the findings of internal assessment and confirms fix
  • Jun 20, 2022: Updates are still rolling out to vulnerable devices
  • Sep 15, 2022: This report becomes public as per the coordinated vulnerability disclosure guidelines

Impact

When daisy-chained, the discovered vulnerabilities allow an attacker to remotely control the camera, download images and decrypt them. Use of these vulnerabilities can bypass authentication and potentially execute code remotely, further compromising the integrity of the affected cameras.

Note: Bitdefender has been working closely with EZVIZ through all stages of vulnerability disclosure. We would like to extend our thanks for the prompt response time, communication, transparency and escalation.

tags


Author


Bitdefender

The meaning of Bitdefender’s mascot, the Dacian Draco, a symbol that depicts a mythical animal with a wolf’s head and a dragon’s body, is “to watch” and to “guard with a sharp eye.”

View all posts

You might also like

Bookmarks


loader