lasustainable.blogg.se - Yi camera software for mac

That binary also implements a custom UDP peer-to-peer (p2p) protocol for all of the aforementioned features.

TALOS-2018-0602 and TALOS-2018-0595 were both found within the p2p_tnp binary, which is the main controller for phone-to-camera and cloud-to-camera communication. If the slight performance hit was taken to implement the core network functionality over HTTPS, these vulnerabilities would either not have been as severe, or not have been exploitable at all. For half of the vulnerabilities, physical access is required to exploit them, which obviously makes them less of a concern if the camera is stored safely inside of the venue that they are protecting, but for the other five vulnerabilities, there is a network attack vector, raising their severity and the importance of getting the latest firmware.īefore summarizing these network-based vulnerabilities, it is important to note that they are all made possible by TALOS-2018-0616, as all of these vulnerabilities are over cleartext protocols, either unencrypted UDP or HTTP. Exploitationĭue to the nature of IoT devices, more attack surfaces are available on a given device than a typical server or client program. This list is not complete, and many other consequences could occur, so Talos highly recommends that the devices are patched as soon as possible via the Yi Home application.

Act as a foothold into the home network to attack other devices inside.

Potentially launch attacks against the camera owner's phone app.

Disable the camera to prevent it from recording.

An attacker could exploit these vulnerabilities to: There are many consequences to a security vulnerability within the firmware of this security camera. It includes all the functions that one would expect from an IoT device, including the ability to view the camera's feed from anywhere, offline storage, subscription-based cloud storage and easy setup. and is the most basic model out of the Yi Technology camera lineup. The 27US version is one of the newer models sold in the U.S. The Yi Home Camera is an internet-of-things (IoT) home camera sold globally. These vulnerabilities could allow an attacker to gain remote code execution on the devices via a command injection, bypass methods of network authentication, or disable the device.

In order to prevent the exploitation of these vulnerabilities, Talos worked with Yi Technology to make sure a newer version of the firmware is available to users. OverviewĬisco Talos is disclosing multiple vulnerabilities in the firmware of the Yi Technology Home Camera. Vulnerabilities Discovered by Lilith of Cisco Talos.