Allegedly, on or about 6 February 2018, Bob Goodwin sent:
Thoughts and advice appreciated,
Oh, and check the security of the cameras, themselves. There's a huge
number of IP cams with insecure software that, not only exposes the
camera to exploits, but your LAN to exploits through the camera.
I bought a cheap $30 one, on a whim, just to see how the robot
mechanism worked. It's one that should never be allowed anywhere near
internet access. It logs into a central server so you can connect to
your camera. That exposes you to rogues who poll the server. And the
camera is easily exploitable with a broken HTTP access request, which
returns the passwords set into the camera. From there, they can write
into the camera, and may be able to exploit your LAN (especially if
you're silly enough to use the same passwords).
http://seclists.org/fulldisclosure/2017/Mar/23
https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html
The problem is created by a stupid implementation of a simplistic
webserver in the cameras.
--
[tim@localhost ~]$ uname -rsvp
Linux 4.14.14-200.fc26.x86_64 #1 SMP Fri Jan 19 13:27:06 UTC 2018 x86_64
Boilerplate: All mail to my mailbox is automatically deleted.
There is no point trying to privately email me, I only get to see
the messages posted to the mailing list.
It seems the modern trend with Linux programmers is to change existing software
so that it's more annoying to use (e.g. making reboots required, when they
never used to be), then denying that *that* is a nuisance, then saying it's
necessary (ignoring that several years of prior versions didn't have that
stupid requirement), then complaining about being criticised for making things
worse. Don't try giving me an Emperor's New Clothes routine, it won't wash.