Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.
Overview
Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.
The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.
It includes all the functions that one would expect from an IoT device, including the ability to view the camera's feed from anywhere, offline storage, subscription-based cloud storage and easy setup.
There are many consequences to a security vulnerability within the firmware of this security camera. An attacker could exploit these vulnerabilities to:
- Disable the camera to prevent it from recording.
- Delete stored videos on the camera.
- View video feeds from the camera.
- Potentially launch attacks against the camera owner's phone app.
- Act as a foothold into the home network to attack other devices inside.
This list is not complete, and many other consequences could occur, so Talos highly recommends that the devices are patched as soon as possible via the Yi Home application.