Yi IoT Home Camera Riddled with Code-Execution Vulnerabilities

Multiple vulnerabilities in the firmware used by the Yi Technology Home Camera version 27US have been found, which could allow remote code-execution on the connected devices.

The Yi Home Camera i27US is one of the newer IoT camera models sold in the U.S. It’s an entry-level gadget, which lets owners view the camera’s feed from anywhere, and features offline storage and subscription-based cloud storage.

First uncovered by Cisco Talos and disclosed Wednesday, five flaws in the firmware open the door to command injection, network authentication bypass and the ability to disable the device.

Various nefarious real-world outcomes of these activities include the ability to prevent the camera from recording, delete stored videos on the camera and intercept video feeds. Adversaries could also potentially launch attacks against the camera owner’s phone app, Talos researchers said, or they could use camera access as a foothold from which to attack other devices on the home network – like laptops, smart TVs and tablets.

Five other vulnerabilities were also uncovered, although they require physical access for successful exploitation. This “makes them less of a concern if the camera is stored safely inside of the venue that they are protecting,” according to Talos.

The network-based vulnerabilities are all follow-ons from a core flaw, CVE-2018-3947: The camera’s data is sent in plaintext to the Yi Home Camera’s phone application. An attacker can thus observe and tamper with network traffic using an available packet-sniffer, like Wireshark, in order to gain administrative access to the camera. From there, he or she can intercept the video feed and create a chain of exploits using the other four vulnerabilities, which could ultimately allow remote code-execution.

“All of these vulnerabilities are [carried out] over cleartext protocols, either unencrypted UDP or HTTP,” Talos researchers said.

According to Talos, the most worrying of the other vulnerabilities is CVE-2018-3892, which is a firmware downgrade vulnerability that exists in the time-syncing functionality of Yi Home Camera. A specially crafted packet can cause a buffer overflow, resulting in code execution. An attacker can intercept and alter network traffic to trigger this vulnerability.

“[This] is easily the most severe vulnerability out of the batch, requiring only the ability to respond to an HTTP request from the camera in order to hit a command injection and subsequent code execution,” Talos researchers said. “The vulnerable time_sync request happens extremely often, as soon as the device connects to the network.”

CVE-2018-3935 and CVE-2018-3928 are both denial-of-service (DoS) flaws that can be triggered by sending a specially crafted set of UDP packets to the camera. The former would result in the camera allocating unlimited memory, resulting in a DoS state. The latter resides in the firmware update functionality for the camera; the set of packers could cause the settings to change, also resulting in DoS.

“[These] were both found within the p2p_tnp binary, which is the main controller for phone-to-camera and cloud-to-camera communication,” explained Talos researchers. “That binary also implements a custom UDP peer-to-peer (P2P) protocol for all of the aforementioned features. In both vulnerabilities, some seemingly artifact opcodes could be accessed without authentication, which would allow an attacker to either permanently disable the video feed or cause unlimited memory to be allocated, both rendering the camera useless.”

The last of the network-based vulnerabilities, CVE-2018-3934, is an authentication bypass vulnerability that exists in the firmware update functionality of the camera. Using a specially crafted set of UDP packets here can cause a logic flaw, resulting in an authentication bypass. An attacker can sniff network traffic using the core CVE-2018-3947, and then send a set of packets to trigger the vulnerability, Cisco said.

“[The flaw] allows an attacker to reuse tokens that can be sniffed over the wire … so that one sniffed token can be used an unlimited number of times by an attacker to access the p2p_tnp API that is normally reserved for the camera’s owner, via the Yi Home phone application,” Talos researchers said. “This access only lasts until the device reboots, at which point another token needs to be sniffed.”

An additional five vulnerabilities were found in the camera that require physical access to exploit; specifically, an attacker would need to be able to insert an SD card into the device, have the camera scan a QR code or set up a nearby wireless access point in order to achieve compromise.

“Because of this, it is suggested that these devices are not kept in areas where they are physically available to others, and once again, that the devices’ firmware is updated as soon as possible,” Talos noted.

The physical flaws include CVE-2018-3890/3891, which can be triggered with a weaponized SD card inserted into the camera. It allows a specially crafted file to cause a logic flaw, resulting in a firmware downgrade.

CVE-2018-3898/3899 allow an attacker to use a specially QR code to cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability. CVE-2018-3900 meanwhile is a firmware downgrade vulnerability that also exists in the QR code-scanning functionality; a specially QR code can cause a buffer overflow, resulting in code execution.

CVE-2018-3910 meanwhile was found in the cloud-based over-the-air (OTA) setup functionality of Yi Home Camera. An attacker can set up a specially crafted wireless access point nearby to the camera, with an SSID that can spoof the user’s legitimate WiFi access point, thus intercepting traffic.

The Internet of Things continues to be a ripe hunting ground for cybercriminals: Often in the rush to get these in-demand connected things to market, they have not been as hardened as traditional computing devices. As a result, IoT cameras and other devices have continually turned up with a range of vulnerabilities.