In Ubitiquiti’s AirVision cameras, the RTSP stream is easily discovered and requires no authentication to view.
Example: For https://IP/login.cgi?uri=/ , if you do not have the login you cannot view the stream via the web portal, but if you go directly to the rtsp stream, rtsp://IP:554/live/ch00_0 , then you can view it with no login.
Discovery: I was curious how Shodan was able to pull down images from webcams that had a non-default authentication setup, but had their RTSP port exposed.
It turns out this is a commonly known method to setup third party apps/dvrs/etc in order to watch the camera.
So with that I filed a report in HackerOne, UBNT’s portal of choice for bug communications, on Dec 29, 2015.
On Jan 12th, 2016 :
Hi Neil,
What version are you seeing this on?
I replied back with all versions of AirVision were impacted.
Then on Feb 15th, 2016 the ticket was marked as closed:
Hi Neil,
airVision has been replaced with UniFi Video. Please test against latest UV version in the future. UV uses a random string for RTSP streams.
Thanks for testing.
So there you go. If you don’t update to Unifi Video, there is a good chance that someone else is watching your camera too. Or making gifs out of it.
