New Annke Vulnerability Shows Risks of IoT Security Camera Systems

New Annke Vulnerability Shows Risks of IoT Security Camera Systems

Nozomi Networks Labs has discovered a critical Remote Code Execution (RCE) vulnerability (CVE-2021-32941) related to the web service of the Annke N48PBB network video recorder (NVR). This information is being shared as part of a coordinated disclosure with ICS-CERT, which published advisory ICSA-21-238-02, and with the vendor, Annke, which has released firmware that fixes the issue.

Exploitation of the vulnerability might result in the loss of confidentiality, integrity, and availability of the device itself, as well as the data stored inside it. Outcomes could potentially include a loss of employee privacy, a loss of confidentiality regarding valuable assets, or a shut down of the NVR at will.

Annke is a global security solutions company, and its security cameras and NVRs are used by both businesses and homeowners. We urge you to check your facilities for use of the Annke N48PBB, and if present, to immediately apply the patch to protect your surveillance system.

This post introduces the cybersecurity risks of modern IoT security camera systems, describes our research into the Annke N48PBB vulnerability, and shares our recommendations for mitigating risk.

Video Surveillance Camera Systems are Now IoT Systems—with Corresponding Cyber Risks

Modern video surveillance systems are classified as Internet of Things (IoT) devices, and represent a fundamental component of the physical security of a company.

Surveillance systems have massively evolved over the years from the traditional analog-based cameras directly connected to televisions and recording on magnetic tapes. Today, digital IP (internet protocol) cameras are connected to the local computer network, like any other desktop or laptop, and record video footage on standard computer storage. Their audio/visual streams are often viewed remotely, over the internet.

As is often the case with IoT, these devices, though apparently simple, suffer from the same cybersecurity risks as more traditional network devices. The well-known Mirai botnet, for instance, targeted IP cameras in the same way routers or printers can be targeted, aiming to compromise them and, subsequently, (ab)use them for large-scale network attacks.

Network Video Recorders 101

An NVR is a type of IoT device designed to connect to a local Ethernet network and capture incoming video feeds from all explicitly configured IP cameras in the same network. NVRs are usually equipped with sizeable hard drives (in the order of TeraBytes), or other permanent memory solutions, to store video content for days.

When setting up IP cameras for surveillance, an NVR serves as a dedicated device for the monitoring and recording of all video footage. It also provides centralized management of the entire IP camera system.

By accessing the exposed web panel of NVRs, operators can watch the live stream coming from all connected cameras, as well as play back all video content stored on the device. In addition, administrators can remotely manage the camera system by performing maintenance operations on all the connected cameras or setting global alerts for any camera to detect specific events.

IoT Security Camera System Concerns

NVRs are clearly powerful and essential components of a company’s surveillance system. Consequently, they are also highly attractive targets for criminals.

A small subset of potential consequences of an attacker’s unauthorized access to an NVR could include the loss of:

  • Confidentiality: they may access any private information recorded on videos, obtain the position of valuable assets, or stalk people;
  • Integrity: they may delete video footage containing undesired content, or change the configuration of motion detection alarms;
  • Availability: they may selectively stop the recording of specified cameras, or shut down the NVR altogether at convenient times.

Indeed, NVRs represent critical network targets, as the compromise of just one device could directly impact the security of the entire IP camera system.

Meet the Annke N48PBB

Annke is a popular manufacturer of surveillance systems and solutions, producing a variety of IP cameras, NVRs, and accessories. Our analysis focused on the N48PBB, an NVR capable of showing and recording footage of up to eight Power over Ethernet (PoE) IP security cameras.1

As is customary, the N48PBB, among its network services, exposes a web application which allows interaction with the device and the connected cameras. For instance, it’s possible to watch camera live streams, search through the playback functionality, manage users, etc.

The web application defines three account typologies:

  • Administrator: this role has full system permissions.
  • Operator: this role has all the permissions for operating the Control Client and the applications (live view, playback and local configuration by default) on the web client. Custom permissions may be set at user creation.
  • User: this role has limited application operating permissions (live view, playback and limited local configuration by default). Again, custom permissions may be set at user creation.
Web application defining three account typologies
The web application defines three account typologies, which by default have access to the playback functionality.

Annke N48PBB NVR Vulnerability Description

The N48PBB’s playback functionality allows all enabled users (by default, all users) to search the camera footage stored on the NVR. To do so, the following HTTP request is sent by the client:

HTTP request
The HTTP request sent by the client to perform a playback search.

While fuzzing all possible fields of the HTTP request looking for security vulnerabilities, we noticed that sending a start time with trailing arbitrary characters, such as “AAAAAAAAAA…,” would immediately cause the device to close the connection (without even sending an HTTP response), and initiate a reboot. Later, tests proved that this condition was systematically reproducible: a Denial-of-Service (DoS) vulnerability was found.

This behavior is a strong hint of an underlying memory corruption issue, which could lead to more severe impacts. We then proceeded to analyze the vulnerability from the device standpoint, to precisely isolate the vulnerable function and assess the feasibility of other attack scenarios.

The Annke web interface allows enablement of a SSH service on the device, which provides access to a restricted number of commands. To obtain fully unrestricted SSH access, it was necessary to properly debug the system by directly intervening at the hardware level:

  1. The firmware was extracted by physically attaching to the device’s onboard memory.
  2. The firmware was modified to disable all SSH restrictions and add several debugging tools (such as the well-known gdbserver).
  3. The firmware was rewritten to the device’s memory.

This allowed fully unrestricted SSH access to the device and access to the onboard tools needed to locate the root cause of the issue.

The mainboard of the Annke N48PBB
The mainboard of the Annke N48PBB.

After identifying the binary involved in the web interactions with the device, gdbserver was attached to the NVR and program execution was debugged with IDA. Ultimately, this led to the discovery of the vulnerable function: an “sscanf” configured to write the string of characters received from the input into a limited-size buffer on the stack, causing a stack-based buffer overflow. You can see the format strings highlighted in red in the screenshot below, and the buffer address in orange.

Vulnerable “sscanf” function
Vulnerable “sscanf” function, causing a stack-based buffer overflow.

Moreover, we noticed that the return address of the function (shown above in blue) is located almost immediately after the buffer, and that no canaries (which are special random values used to detect memory corruption attacks on the stack) are verified—or any other checks done—prior to performing the jump to the address.

A quick look at the output of “ps” finally confirmed that the binary runs with root privileges on the device, i.e., the highest possible privileges on a Linux system.

This means that the memory corruption bug, initially classified as a DoS, is actually a Remote Code Execution (RCE) issue with root privileges. If exploited, this vulnerability could potentially lead to a full compromise of the device.

As the search functionality is accessible by all users of the device by default, the vulnerability could be exploited (on unpatched NVRs) directly by malicious operators, or users, to elevate their privileges on the system.

Furthermore, as no anti-CSRF (Cross-Site Request Forgery) mitigations were found in the functionality, the vulnerability could be exploited indirectly by external attackers in “drive-by download” attacks. It is sufficient for an administrator, operator, or user to browse a specifically crafted webpage, while simultaneously logged in to the web interface of the device, to potentially cause the execution of external malicious code on the device itself.

In both cases, it would have been possible to enact all impact scenarios previously described in this post.

Annke Acted Quickly on Security Disclosure

The vulnerability, tracked as CVE-2021-32941, was responsibly disclosed by Nozomi Networks to Annke on July 11, 2021 and the company released new firmware which fixes the issue on July 22, 2021. This is a notably fast response time, and we applaud Annke for it. We urge users to download and install the latest firmware version from the Annke website to protect the device from cyberattacks.

Nozomi Networks has released specific updates to its Threat Intelligence service to detect exploitation attempts of the vulnerability.

Don’t Overlook IoT Security Camera Risks

Cyber risks are one of the top risks for boards of directors around the world, and companies are expanding their oversight to include IT, IoT, OT and physical security systems—including video camera surveillance systems.

In 2020, the value of the worldwide video surveillance market passed $45 billion USD, and is expected to grow to $75 billion USD by 2025. The infrastructure sector—including transportation, city surveillance, public places and utilities—is expected to have the highest growth during that period. 2

Given their increasing use, Nozomi Networks Labs continues to research the risks of IoT security camera systems. Earlier this year we released our findings on Reolink and Throughtek security vulnerabilities, and we provide further analysis and recommendations on this topic in our July 2021 OT/IoT Security Report, available below.

We advise organizations to perform careful due diligence when purchasing security camera systems, including a review of the technology involved and consideration of the privacy laws applicable in the jurisdiction of the vendors. We further recommend the implementation of an IoT and OT network monitoring solution. While the functioning of IoT devices is often opaque, monitoring network behavior with anomaly detection technology provides much-needed alerts that highlight unusual behavior—and allows time to stop or mitigate potential harm.

If you would like to find out about our OT and IoT security and visibility solution, simply contact us.

References:

  1. “8 Channel 6MP Super HDF PoE Network Video Recorder,” Annke.
  2. “Size of the global video surveillance market between 2016 and 2025 ,” Statista.