Researchers at Vdoo discover vulnerabilities which, if left un-patched, could allow attackers to take control of the devices or rope cameras into botnets.
Vulnerabilities in almost 400 models of internet connected video camera by one manufacturer could allow attackers to take remote control of devices for use as a surveillance tool with the ability to snoop on any audio or video it recorded.
By exploiting vulnerabilities in the internet-connected cameras from Axis Communications, researchers at security firm Vdoo found that remote attackers could take over devices using just the IP address and without previous access to the camera or its login credentials.
The vulnerabilities have been disclosed to Axis, which has updated the firmware of all the affected products in order to protect users from falling victim to an attack. In a blog post, Vdoo states that "to the best of our knowledge, these vulnerabilities were not exploited in the field".
In total seven vulnerabilities in the cameras were discovered and researchers have detailed how three of them could be chained together in order to provide remote access to the cameras and execute remote shell commands with root privileges.