I Always Feel Like Somebody’s W̶a̶t̶c̶h̶i̶n̶g̶ Listening to Me

Jacob Baines
Jul 29, 2019 · 2 min read

If you can believe Amazon’s customer review system, I’m one of many people to have purchased an Amcrest IP2M-841B IP camera.

Image for post
Image for post
Totally real, not fake reviews

Pulling apart the firmware for this device, it’s clear that it’s a rebranded Dahua camera. Dahua has recently been in the news as the US government plans to black list the company due to potential spying concerns.

While Dahua devices have seen some egregious security issues in the past, it’s been several years since anything terrible was disclosed. Which is why I was surprised to find that I could remotely listen to the IP2M-841B’s audio over HTTP without authentication. Essentially, if this thing is connected directly to the internet, it’s anyone’s listening device. We’ve assigned this CVE-2019–3948.

Connecting to the audio stream is trivial. Simply point your browser or a tool like VLC at the videotalk endpoint.

Image for post
Image for post

Once connected via VLC, nothing appears to happen, but if you look at the network traffic you’ll see quite a bit is going on in the background.

Image for post
Image for post

VLC just doesn’t understand the “DHAV” container that the camera has wrapped the audio in. Fortunately, it was pretty easy to write a script that connects to the endpoint and extracts the audio so that it can be played by ffplay.

Perhaps unnecessarily long. Audio plays towards the end… until the copyright strike takes affect.

Amcrest is one of many companies that rebrand Dahua products. But because each company seems to keep their devices at different patch levels or include different features, it remains unclear how many vendors are vulnerable to this particular issue. This Shodan search does yield some non-Amcrest cameras that are vulnerable, but since Dahua was included in our disclosure timeline we assume patches exist or are forthcoming.

Image for post
Image for post
A mix of OEM cameras and NVR

As usual, don’t expose your cameras to the internet and be wary of your IoT devices in general.

Image for post
Image for post
“All I want is to be left alone inside my average home”

Tenable TechBlog

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store