A huge number of internet-connected security cameras produced by a Chinese manufacturer are vulnerable to cyber attacks that could result in the devices being compromised, according to security researchers.

Experts at cyber security firm Bitdefender discovered nearly 175,000 Internet of Things (IoT) security cameras manufactured by Shenzhen Neo Electronics suffer from a number of exploitable security vulnerabilities that put users at risk.

Read: Mirai Botnet: Hacker Admits To DDoS Attack Against Deutsche Telekom

At risk in particular is the company’s iDoorbell and NIP-22 models of cameras. Both devices are targeted primarily at consumers, designed to be integrated into an internet-connected home setup that allows users to remotely monitor activity from the cameras.

According to Bitdefender, the devices use Universal Plug and Play (UPnP) technology to automatically open ports in a router’s firewall to communicate with the Internet. Doing so also leaves the cameras vulnerable to attack.

In particular, the cameras from Shenzhen Neo Electronics can be exploited through buffer overflow vulnerabilities, in which an attacker sends data designed to overrun a system’s temporary data storage. Such an attack allows executable code to be overwritten with malicious code.

The buffer overflow attacks could be used to gain remote access to the cameras, allowing an attacker to execute malicious code on the device and take control of some of its function. Even without carrying out such an attack, a hacker could gain access the device and watch a live stream of footage from the camera simply by using the default login credentials.

Read: Smart TVs, Smart Speakers, Other IoT Devices Remain Vulnerable Post Mirai Botnet

While Bitdefender focused its findings on the two consumer cameras, the researchers noted there may be other vulnerable devices from Shenzhen Neo Electronics on the market that use the same firmware and therefore could be exploited by the same type of attack.

“This proof of concept attack confirms once again that most Internet of Things devices are trivial to exploit because of improper quality assurance at the firmware level,” the researchers concluded in the published paper on the vulnerabilities.



“Paired with the fact that the bug affects the authentication mechanism (i.e. it does not require the user to already be authenticated to exploit the flaw) and the massive pool of affected devices, we can only imagine the impact a harvested botnet of devices might have.”

The lack of security of IoT devices, which was recently the subject of bipartisan legislation presented by the United States Congress, present significant risk for device owners as well as others. As Bitdefender noted, unsecure devices can be used in a botnet, which hackers use to direct massive numbers of internet-connected devices at a single target to carry out denial of service attacks.

With so many vulnerable devices sitting with an open connection to the internet, it would be possible for a hacker to assemble a botnet like the Mirai botnet that was used by attackers to take down a number of major web services and deny internet access to more than one million Deutsche Telekom subscribers.

Internet-connected cameras have also fallen victim to other attacks in recent months, including traffic cameras in Australia being hit by the ransomware attack WannaCry.