Unpatched Flaws in Zavio Security Cameras: A Looming Threat to Surveillance Systems

Vulnerabilities in Zavio Security Cameras

Dozens of vulnerabilities have been found in security cameras made by the defunct Chinese company Zavio. These flaws were discovered by the IoT firmware analysis platform provider BugProve, which has worked with the main distributor of Zavio cameras in North America, CCTV Camera Pros, and the US Cybersecurity and Infrastructure Security Agency (CISA) to verify and disclose the vulnerabilities.

The Vulnerabilities

BugProve has identified more than 34 memory corruption and command injection vulnerabilities in various Zavio IP camera models. These vulnerabilities affect a daemon called ‘Onvif’, which is used for integrations with surveillance systems. According to BugProve, seven of these vulnerabilities can be exploited for unauthenticated remote code execution with root privileges. This means that attackers can take complete control of the targeted device.

While IP cameras can be targeted to hijack video feeds, they are primarily targeted by botnets for DDoS and other attacks. It is critical to raise awareness about these vulnerabilities because Zavio cameras are reportedly still deployed in the United States and Europe.

The Disclosure Process

The weaknesses in Zavio cameras were discovered in late 2022, but the disclosure process was delayed due to the vendor’s failure to respond and the time it took CISA to verify the vulnerabilities. CISA has assigned two CVE identifiers for the flaws: CVE-2023-4249 and CVE-2023-3959.

Implications for Users

Since the impacted Zavio cameras will not receive patches, it is strongly advised that users replace these devices to prevent falling victim to hacker attacks. CCTV Camera Pros is informing customers that Zavio cameras are no longer available and recommending alternatives.

Editorial: The Importance of Internet Security

This discovery of vulnerabilities in Zavio security cameras highlights the ongoing challenges in securing Internet of Things (IoT) devices. As these devices become more prevalent in our homes and workplaces, it is essential to prioritize and invest in robust security measures.

The case of Zavio cameras also brings attention to the issue of defunct companies and the security risks associated with their products. When a company goes out of business, it can be challenging to address vulnerabilities in their devices. This situation underscores the need for better oversight and accountability in the IoT industry.

Internet Security and Privacy

The vulnerabilities found in Zavio cameras serve as a reminder that Internet security goes beyond protecting one’s personal data. In the case of IoT devices like security cameras, the security of these devices directly impacts the privacy and safety of individuals and their properties.

Without proper security measures, attackers can gain unauthorized access to video feeds, compromising the privacy of individuals and potentially using the cameras for malicious activities such as DDoS attacks. It is crucial for consumers to prioritize security when choosing and using IoT devices.

Advice for Consumers and Businesses

As a response to the vulnerabilities discovered in Zavio cameras, it is recommended that users take the following actions:

1. Replace Vulnerable Devices

Since Zavio cameras will not receive patches, users should replace these devices with more secure alternatives. This will help prevent potential attacks that may exploit the discovered vulnerabilities. Consult with security professionals or trusted vendors to select cameras with robust security features.

2. Regularly Update and Patch Devices

While the focus of this report is on unpatched vulnerabilities in Zavio cameras, it is important to emphasize the importance of regularly updating and patching all IoT devices. Manufacturers often release firmware updates that address known vulnerabilities and improve overall security. Make it a habit to check for and install updates regularly.

3. Choose Reliable and Reputable Vendors

When purchasing IoT devices, particularly security cameras, it is crucial to choose vendors with a strong track record in security and a commitment to addressing vulnerabilities. Do your research and review vendor security practices and responsiveness to security concerns. Look for vendors who provide frequent updates and have a good reputation for addressing vulnerabilities promptly.

4. Maintain a Secure Network

Securing IoT devices not only requires action from the device itself but also from the network they are connected to. Ensure that your home or business network is properly secured with strong passwords, up-to-date firmware on routers and access points, and network segmentation to isolate IoT devices from critical systems.

5. Stay Informed and Follow Best Practices

Internet security is an evolving field, and new vulnerabilities can be discovered at any time. Stay informed about the latest security threats and best practices by following trusted cybersecurity sources. Implement recommended security measures and regularly review and improve your own security practices.

Conclusion

The vulnerabilities discovered in Zavio security cameras serve as a reminder of the ongoing challenges in securing IoT devices. It is crucial for consumers and businesses to prioritize internet security, choose reliable vendors, and regularly update and patch devices. By taking proactive measures, individuals and organizations can mitigate the risk of falling victim to attacks and ensure the privacy and safety of their digital environments.

Sources:

• The New York Times