March 24, 2018 Sarvotarzan

Major Security Loophole in CP Plus CCTV Camera / Any CCTV Camera

With the help of this loophole, anyone, yes, literally anyone can access anyone’s CP Plus CCTV camera via CP Plus CCTV Camera Mobile App over the internet & that too without leaving any trace. We have tested it for CP Plus CCTV App but it is equally damaging to any company’s CCTV Camera which is connected to internet and has static IP access functionality for the customers.

So, why do we install CCTV and in our homes and offices? For Security, right? And we connect our CCTV to the internet so that we can access our CCTV footages from anywhere in the world. But, what if the same CCTVs are used by thieves to know about our location inside and outside the house? In simple words, what if they can perform a 24×7 surveillance of your home / office without leaving any traces and the worst part is, you won’t know it at all? If this scares you, better be prepared for this nerve chilling exploit tested by Team Sarvotarzan.

Recently we have seen the mind boggling case of Facebook Data Breach and whatnot. Also, there have been several instances in which we believe that our CCTV might be sending our CCTV Footage to another rival country’s server. But, what if we tell you that the attacker neither need to be a professional hacker nor even a technically sound person to perform this attack? Then what would you do?

So, what’s the exploit? The exploit is fairly simple to understand.

“In our research, we found that 90% of the customers of CP Plus CCTV Camera didn’t change the DEFAULT USERNAME and DEFAULT PASSWORD even when they are connected to internet. So, you can literally access their internet connected CCTV Camera via CP Plus CCTV App from anywhere you want, anytime you want and for any duration you want. In this case, the default username is “admin” and the default password is “888888.””

So, what did we do? We did pretty simple steps actually.

  1. We installed CCTV in one our relative’s premises and CP Plus CCTV Camera App in our mobile phone.
  2. We connected all the CCTVs to the internet so that it can accessible via CP Plus CCTV Camera App.
  3. We did a HIT & TRIAL method to find out the Victim’s Serial number by adding / subtracting consecutive / random digits to our serial number.
  4. We waited for gaining the access if it is connected to the internet.
  5. And that’s all, yeah that’s it. If the victim’s serial number would be connected to the internet and would have the default username and default password then voila, you shattered its security into million pieces.
  6. This exploit is App Version independent so you can use any version.

Now, please have a look at it in detail: (Steps Screenshots Enclosed)

  1. Installed a App:

  1. Selected the “Device Manager” option.

 

  1. Our Home Device Details:

 

  1. Our home Footage that could we see in our CP Plus CCTV App:

 

  1. Now, we edited the Serial Number details to *****342:

 

  1. And what we could see, will scare you:

 

 

Here, you can obviously see that just by changing the last two digits, we are able to access some one’s camera in a matter of seconds without doing any technical stuff. We obviously don’t know the victim’s real time location but even that info can easily be extracted by running few Kali Linux Tools. But still, isn’t this information scary enough to dilapidate your privacy wall?

So, now you can obviously see that your so called security camera is highly insecure or should we say, it is actually compromising your security to the maximum extent in a way that your security camera can itself be used for your surveillance without your knowledge.

So, what could be the possible measures, you can take to protect yourself? The answers are also fairly simple.

  1. Change the DEFAULT USERNAME and DEAFULT PASSWORD.
  2. The pressing issue that we want to address here is; the CCTV set-up guys must insist the customers to change the default username and password in front of themselves as in most cases, the customers are highly non-technical yester generation people and they are just not aware of such kind of things.
  3. The Company CP Plus must provide a “Incoming Request Authentication” approval feature in the Mobile App or at the System Admin Panel for the incoming connections so that even if the people did not change their passwords, no-one can access their camera in such ridiculous way.

Also, if CP Plus has such kind of features already, kindly let people know about it asap.

Thanks and have a nice Cyber Safe Day!

Team Sarvotarzan!

, , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,