Checkmarx researchers said a pair of IP-enabled security cameras have nearly two dozen flaws that would make them vulnerable to attack.
Loftek DSS-2200 and VStarcam C7837WIP, manufactured in China and aimed at the consumer market, also can be pressed into service as botnets to execute distributed denial of service (DDoS) attacks, according to report by Threatpost.
The vulnerabilities found are indicative of problems with IP-enabled cameras – including hardcoded credentials, no way to update firmware, and flagging HTTPS support, the report said, and were immediately apparent when researchers first conducted a scan.
By taking advantages of these bugs, “A malicious user can exploit your device to track your day-to-day, know when you're home or out, steal your email information, steal your wireless connection, gain control of other connected devices, use your camera as a bot, listen in to your conversations, record video, and more,” Checkmarx warns in its report, which is accessible via a corresponding blog post.
More than 1.3 million of the cameras have been sold, with 200,000 of those in the U.S.