An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device uses a custom UDP protocol to start and control video and audio services. The protocol has been partially reverse engineered. Based upon the reverse engineering, no password or username is ever transferred over this protocol. Thus, one can set up the camera connection feed with only the encoded UID. It is possible to set up sessions with the camera over the Internet by using the encoded UID and the custom UDP protocol, because authentication happens at the client side.
30be5b3d8a4c41b0bd80dbb9c3ff49c1407c5db44ff864668aaab8728b0c851d
[Suggested description]
An issue was discovered on Alecto IVM-100 2019-11-12 devices.
The device uses a custom UDP protocol to start and control video and
audio services. The protocol has been partially reverse engineered.
Based upon the reverse engineering, no password or username is ever
transferred over this protocol. Thus, one can
set up the camera connection feed with only the encoded UID. It
is possible to set up sessions with the camera over the Internet by using the encoded UID
and the custom UDP protocol, because authentication happens at the client
side.
------------------------------------------
[Vulnerability Type]
Incorrect Access Control
------------------------------------------
[Vendor of Product]
Alecto
------------------------------------------
[Affected Product Code Base]
Alecto-IVM-100 - Exact version unknown
------------------------------------------
[Affected Component]
Video and audio stream of the camera.
------------------------------------------
[Attack Type]
Remote
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[Attack Vectors]
An attacker requires knowledge of the encoded UID (can be obtained by
sniffing or enumerating). Once this knowledge has been obtained, the
attacker can set up a video/audio system from anywhere.
------------------------------------------
[Has vendor confirmed or acknowledged the vulnerability?]
true
------------------------------------------
[Discoverer]
Willem Westerhof, Jasper Nota, Martijn Baalman from Qbit cyber security in cooperation with The Dutch consumer organisation
------------------------------------------
[Reference]
https://www.alecto.nl
Use CVE-2019-20461.