Exclusive - Security cameras used by millions are vulnerable to hackers &ndash update your devices now Tom's Guide Skip to main content Tom's Guide is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Here's why you can trust us.

Exclusive - Security cameras used by millions are vulnerable to hackers &ndash update your devices now

By Anthony Spadafora published 15 September 2022 Newly discovered security flaws could be used to take over a camera and download images from it (Image credit: EZVIZ) Several models of home security cameras from the Chinese firm EZVIZ contain vulnerabilities that could be exploited by hackers to remotely control them and even download images from them. A recent investigation by the security company Bitdefender found three remote and one local vulnerability in EZVIZ's cameras. Fortunately, EZVIZ worked together with Bitdefender's researchers to address these vulnerabilities and issue patches for them in a timely fashion. However, if you own any of the security cameras listed below, you will need to update them in order to prevent falling victim to any attacks that leverage these vulnerabilities. Here are the model numbers of the affected devices along with their firmware from a vulnerability notice (opens in new tab) released by EZVIZ:CS-CV248 - versions below V5.2.3 build 220725CS-C6N-A0-1C2WFR - versions below V5.3.0 build 220428CS-DB1C-A0-1E2W2FR - versions below V5.3.0 build 220802CS-C6N-B0-1G2WF - versions below V5.3.0 build 220712CS-C3W-A0-3H4WFRL - versions below V5.3.5 build 220723 According to its listing on the Google Play Store, the EZVIZ app (opens in new tab) has been downloaded more than 10 million times, which means that the company has potentially millions of users who could be impacted by these vulnerabilities. Bitdefender also noted in its discussions with Tom's Guide that other EZVIZ security cameras could also be affected since the company has a large product portfolio and its researchers were unable to test every security camera individually.

Remotely controlling cameras and downloading images

(Image credit: Shutterstock) Based on a new whitepaper (opens in new tab) (PDF) from Bitdefender, we know a bit more about each of the security flaws in question and how they could be exploited by an attacker to remotely take control of vulnerable EZVIZ cameras. The security firm's researchers uncovered several vulnerabilities in EZVIZ smart security cameras and their API endpoints that an attacker could leverage to carry out a variety of malicious actions including remote code execution and access to a camera's video feed. The first vulnerability (tracked as CVE-2022-2471) was found in the configMotionDetectArea API endpoint. As EZVIZ's cameras are accessible from anywhere, user-device communication is relayed through servers in the cloud using a number of commands. Bitdefender's researchers found that they could overload a camera's local stack buffer to achieve remote code execution in its motion detection routine. An Insecure Direct Object Reference vulnerability was also found in multiple API endpoints that could be exploited by an attacker to download images and issue commands to an EZVIZ security camera as if they were its owner. Likewise, after downloading images from an affected camera, Bitdefender's researchers found that although the images were encrypted, they could recover the encryption key for these images using an API endpoint. The endpoint returned a camera's password in plaintext which allowed the researchers to decrypt and access the images. The final security flaw discovered by Bitdefender (tracked as CVE-2022-2472) was an improper initialization vulnerability that could be used by an attacker to recover the admin password of a device and completely take it over.

How to protect your EZVIZ cameras from hackers

After discovering these issues in EZVIZ's cameras, Bitdefender contacted the firm back in April of this year. EZVIZ promptly responded and then conducted an internal assessment before asking for additional time to fix and patch the vulnerabilities in question. In a statement to Tom's Guide, an EZVIZ spokesperson provided further insight on how the company worked with Bitdefender to fix these vulnerabilities, saying: "Over the past months, we have been working transparently and responsively with Bitdefender to patch and verify the successful remediation of the reported vulnerabilities following the standard Coordinated Disclosure Progress. As a company with "safety" in our DNA, EZVIZ is committed to continuing to work with third-party ethical hackers and security researchers to find, patch, disclose and release updates to products in a manner that best protects our users and their homes." At the time of writing, all of these vulnerabilities have been addressed in the latest firmware which EZVIZ users can download via the EZVIZ app. However, the company's customers also should have received a push notification with the updated firmware. If you haven't updated your EZVIZ security cameras yet, you should do so immediately as hackers may still try and craft exploits that leverage these now patched security flaws. Outdoor security cameras can be a great deterrent that can help keep you and your family safe. However, if accessed by hackers, they could end up doing more harm than good while compromising both your security and your privacy.Today's best Bitdefender Antivirus deals (opens in new tab) (opens in new tab)$39.99 (opens in new tab)View (opens in new tab) (opens in new tab) (opens in new tab)$59.99 (opens in new tab)View (opens in new tab) (opens in new tab) (opens in new tab)$69.99 (opens in new tab)View (opens in new tab)We check over 250 million products every day for the best prices

Be In the Know

Get instant access to breaking news, the hottest reviews, great deals and helpful tips. Anthony SpadaforaSenior Editor Security and NetworkingAnthony Spadafora is the security and networking editor at Tom's Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he's not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. More about security FBI issues warning over student loan forgiveness scams - how to stay safe These 16 malicious Android apps have over 20 million downloads - delete them nowLatest iPhone SE 4 - all the rumors and what we want to seeSee more latest ► Topics Security Smart Home See all comments (0) No comments yet Comment from the forums MOST READMOST SHARED17 best new Netflix movies that are 90% or higher on Rotten Tomatoes2Samsung Galaxy S23 Ultra - 5 biggest rumors so far3The best gaming monitors in 20224Best student Chromebook in 20225The best Apple Pencil alternatives in 20221Every God of War game, ranked2iPhone SE 4 - all the rumors and what we want to see3I added the Sonos Sub Mini to my home audio setup - and it blew me away47 best new Netflix movies that are 90% or higher on Rotten Tomatoes5Samsung Galaxy S23 Ultra - 5 biggest rumors so far