CVE-2017-8228 in IPM-721S
Summary
by MITRE
Amcrest IPM-721S V2.420.AC00.16.R.20160909 devices mishandle reboots within the past two hours. Amcrest cloud services does not perform a thorough verification when allowing the user to add a new camera to the user's account to ensure that the user actually owns the camera other than knowing the serial number of the camera. This can allow an attacker who knows the serial number to easily add another user's camera to an attacker's cloud account and control it completely. This is possible in case of any camera that is currently not a part of an Amcrest cloud account or has been removed from the user's cloud account. Also, another requirement for a successful attack is that the user should have rebooted the camera in the last two hours. However, both of these conditions are very likely for new cameras that are sold over the Internet at many ecommerce websites or vendors that sell the Amcrest products. The successful attack results in an attacker being able to completely control the camera which includes being able to view and listen on what the camera can see, being able to change the motion detection settings and also be able to turn the camera off without the user being aware of it. Note: The same attack can be executed using the Amcrest Cloud mobile application.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/17/2023
The vulnerability described in CVE-2017-8228 represents a critical security flaw in Amcrest IPM-721S surveillance cameras running firmware version V2.420.AC00.16.R.20160909. This issue stems from inadequate authentication and authorization mechanisms within the Amcrest cloud service infrastructure, creating a pathway for unauthorized remote access to connected devices. The flaw specifically manifests when cameras that have been rebooted within the past two hours are being added to cloud accounts, exploiting a temporal window where proper device ownership verification is bypassed. This vulnerability directly maps to CWE-287 which addresses improper authentication issues, and aligns with ATT&CK technique T1133 where adversaries gain access to network devices through credential compromise or authentication bypass. The security weakness exists in the cloud service's device registration process where serial number verification alone is insufficient to establish legitimate ownership.
The technical exploitation of this vulnerability relies on two interconnected conditions that significantly increase the attack surface. First, the attacker must possess the legitimate serial number of a target camera, which is often publicly available through product documentation or manufacturing records. Second, the target camera must have been rebooted within the preceding two-hour window, a condition that is remarkably common in commercial deployments where devices are frequently reset during installation or maintenance processes. This temporal requirement makes the attack vector particularly dangerous as it leverages the natural operational behavior of surveillance systems rather than requiring complex reconnaissance or physical access. The vulnerability creates a window of opportunity that can be exploited through the Amcrest Cloud mobile application or web interface, demonstrating how consumer-facing applications can inadvertently expose device management functions to unauthorized users.
The operational impact of successful exploitation is severe and encompasses complete unauthorized control of the targeted surveillance device. An attacker who successfully executes this attack gains full administrative privileges over the camera, enabling them to perform actions including real-time video and audio monitoring, modification of motion detection parameters, and complete control over device functionality without any notification to the legitimate owner. This level of access violates fundamental security principles of device ownership and privacy, as the attacker can effectively spy on the camera's environment and manipulate its operational settings. The attack's implications extend beyond simple unauthorized access to include potential data exfiltration, privacy violations, and the possibility of using the compromised device as a pivot point for further network infiltration attacks. The ability to turn cameras off without detection represents a particularly concerning aspect that could be used to disable security monitoring during critical periods.
Mitigation strategies for this vulnerability should address both the immediate security gap and broader architectural issues within the Amcrest cloud service. The primary recommendation involves implementing robust device authentication mechanisms that go beyond simple serial number verification, including cryptographic challenge-response protocols or certificate-based authentication that ties device identity to legitimate owners. Network administrators should consider implementing device registration policies that require additional verification steps such as physical presence verification or multi-factor authentication for new device additions. Organizations should also monitor for unauthorized device additions to cloud accounts and implement automated alerting for suspicious registration patterns. The vulnerability highlights the importance of proper session management and authentication lifecycle controls, aligning with ATT&CK technique T1531 which addresses credential exposure through inadequate session management. Regular firmware updates and security patches should be implemented to address such weaknesses, while security awareness training for users about the importance of monitoring their cloud account access and device registrations is essential for preventing exploitation of similar vulnerabilities.