Vulnerabilities Discovered by Lilith [x_x] of Cisco Talos.

Overview
Cisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.

The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. The 27US version is one of the newer models sold in the U.S. and is the most basic model out of the Yi Technology camera lineup.

It includes all the functions that one would expect from an IoT device, including the ability to view the camera's feed from anywhere, offline storage, subscription-based cloud storage and easy setup.

There are many consequences to a security vulnerability within the firmware of this security camera. An attacker could exploit these vulnerabilities to:

  • Disable the camera to prevent it from recording.
  • Delete stored videos on the camera.
  • View video feeds from the camera.
  • Potentially launch attacks against the camera owner's phone app.
  • Act as a foothold into the home network to attack other devices inside.

This list is not complete, and many other consequences could occur, so Talos highly recommends that the devices are patched as soon as possible via the Yi Home application.

Exploitation

Due to the nature of IoT devices, more attack surfaces are available on a given device than a typical server or client program. For half of the vulnerabilities, physical access is required to exploit them, which obviously makes them less of a concern if the camera is stored safely inside of the venue that they are protecting, but for the other five vulnerabilities, there is a network attack vector, raising their severity and the importance of getting the latest firmware.

Before summarizing these network-based vulnerabilities, it is important to note that they are all made possible by TALOS-2018-0616, as all of these vulnerabilities are over cleartext protocols, either unencrypted UDP or HTTP. If the slight performance hit was taken to implement the core network functionality over HTTPS, these vulnerabilities would either not have been as severe, or not have been exploitable at all.

Denial of service:

TALOS-2018-0602 and TALOS-2018-0595 were both found within the p2p_tnp binary, which is the main controller for phone-to-camera and cloud-to-camera communication. That binary also implements a custom UDP peer-to-peer (p2p) protocol for all of the aforementioned features. In both vulnerabilities, some seemingly artifact opcodes could be accessed without authentication, which would allow an attacker to either permanently disable the video feed or cause unlimited memory to be allocated, both rendering the camera useless.

Remote Code Execution:

TALOS-2018-0567 is easily the most severe vulnerability out of the batch, requiring only the ability to respond to an HTTP request from the camera in order to hit a command injection and subsequent code execution. The vulnerable time_sync request happens extremely often as soon as the device connects to the network.

Administrative Access:

The last of the network-based vulnerabilities, TALOS-2018-0601 allows an attacker to reuse tokens that can be sniffed over the wire via TALOS-2018-0616 so that one sniffed token can be used an unlimited number of times by an attacker to access the p2p_tnp API that is normally reserved for the camera's owner via the Yi Home phone application. This access only lasts until the device reboots, at which point another token needs to be sniffed.

Physical and Local Attack Vectors:

As noted above, IoT devices tend to lend themselves to vulnerabilities with more unusual attack vectors, and the Yi Home Camera is no exception. Vulnerabilities were found via the firmware update functionality (TALOS-2018-0565, TALOS-2018-0584 and TALOS-2018-0566), the SSID that the camera connects to for wireless access (TALOS-2018-0580) and via the QR code that is used when setting up the device out of the box (TALOS-2018-0572 and TALOS-2018-0571). Because of this, it is suggested that these devices are not kept in areas where they are physically available to others, and once again, that the devices' firmware is updated as soon as possible.

Vulnerability Summaries

TALOS-2018-0565 -- Yi Technology Home Camera 27US Firmware Update Code Execution Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw and command injection, resulting in code execution. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0566 / CVE-2018-3891 - Yi Technology Home Camera 27US Firmware Downgrade Vulnerability

An exploitable firmware downgrade vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted file can cause a logic flaw, resulting in a firmware downgrade. An attacker can insert an SD card to trigger this vulnerability.

TALOS-2018-0567 -- Yi Technology Home Camera 27US TimeSync Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the time syncing functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted packet can cause a buffer overflow, resulting in code execution. An attacker can intercept and alter network traffic to trigger this vulnerability.

TALOS-2018-0571 / CVE-2018-3898-CVE-2018-3899 - Yi Technology Home Camera 27US QR Code trans_info Code Execution Vulnerability

An exploitable code execution vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US 1.8.7.0D. A specially QR Code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0572 / CVE-2018-3900 - Yi Technology Home Camera 27US QR Code Base64 Code Execution Vulnerability

An exploitable firmware downgrade vulnerability exists in the QR code-scanning functionality of Yi Home Camera 27US 1.8.7.0D. A specially QR code can cause a buffer overflow, resulting in code execution. An attacker can make the camera scan a QR code to trigger this vulnerability.

TALOS-2018-0580 / CVE-2018-3910 - Yi Technology Home Camera 27US cloudAPI SSID Code Execution Vulnerability

An exploitable code execution vulnerability exists in the cloud OTA setup functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted SSID can cause a command injection, resulting in code execution. An attacker can cause a camera to connect to this SSID to trigger this vulnerability. Alternatively, an attacker can convince a user to connect their camera to this SSID.

TALOS-2018-0595 / CVE-2018-3928 - Yi Technology Home Camera 27US Notice_To Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can cause the settings to change, resulting in a denial of service. An attacker can send a set of packets to trigger this vulnerability.

TALOS-2018-0601 / CVE-2018-3934 - Yi Technology Home Camera 27US Nonce Reuse Authentication Bypass Vulnerability

An exploitable code execution vulnerability exists in the firmware update functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can cause a logic flaw, resulting in an authentication bypass. An attacker can sniff network traffic and send a set of packets to trigger this vulnerability.

TALOS-2018-0616 / CVE-2018-3947 - Yi Technology Home Camera 27US p2p_tnp Cleartext Data Transmission Vulnerability

An exploitable information disclosure vulnerability exists in the phone-to-camera communications of Yi Home Camera 27US 1.8.7.0D. An attacker can sniff network traffic and trigger this vulnerability.

TALOS-2018-0602 / CVE-2018-3935 - Yi Technology Home Camera 27US CRCDec Denial Of Service Vulnerability

An exploitable code execution vulnerability exists in the UDP network functionality of Yi Home Camera 27US 1.8.7.0D. A specially crafted set of UDP packets can allocate unlimited memory, resulting in denial of service. An attacker can send a set of packets to trigger this vulnerability.

Versions Tested

The Yi Technology Home Camera 27US 1.8.7.0D version of the firmware was used during the discovery of the vulnerabilities listed above.


Firmware at Yi Technology

Conclusion

With the increased convenience of IoT devices, a new set of attack vectors arose that have not been as hardened as traditional ones. As such, Talos recommends that users apply these newly available firmware updates in order to ensure their continued and secure operation. This can be done via the Yi Home phone app, which will notify the user of this new firmware upon being opened. It is also recommended that the user checks the device's firmware version after the update, via the phone app, in order to ensure that the update did in fact occur.

Coverage

The following SNORTⓇ rules will detect exploitation attempts. Note that additional rules may be released at a future date, and current rules are subject to change pending additional vulnerability information. For the most current rule information, please refer to your Firepower Management Center or Snort.org.

Snort Rules:
46190-46191. 46294-46295. 46780. 46870.

For other vulnerabilities Talos has disclosed, please refer to our Vulnerability Report Portal here.

To review our Vulnerability Disclosure Policy, please visit this site here.