Unpatched Flaws Pose Major Security Risk in Defunct Company Zavio’s Security Cameras

Vulnerabilities in Zavio Security Cameras

The Discovery

Dozens of vulnerabilities have been identified in security cameras manufactured by the defunct Chinese company Zavio. The vulnerabilities were discovered by the IoT firmware analysis platform provider BugProve, which has been working with CCTV Camera Pros and the US Cybersecurity and Infrastructure Security Agency (CISA) to verify and disclose the flaws. The vulnerabilities affect various Zavio IP camera models, specifically a daemon called ‘Onvif’ used for integrations with surveillance systems.

Severity of the Vulnerabilities

According to BugProve, more than 34 memory corruption and command injection vulnerabilities have been identified, seven of which can be exploited for unauthenticated remote code execution with root privileges. These types of vulnerabilities could potentially allow attackers to take complete control of the vulnerable devices. While IP cameras can be targeted to hijack their video feeds, they are often leveraged by botnets for DDoS attacks and other malicious activities.

CVE Identifiers and Patching

Although BugProve has found many individual vulnerabilities, CISA has decided to assign only two CVE identifiers — CVE-2023-4249 and CVE-2023-3959 — due to the common underlying issues. Since Zavio is defunct, there will be no official patches released for the impacted cameras. As a result, users have been advised to replace these devices to mitigate the risk of falling victim to hacker attacks. CCTV Camera Pros, the main distributor of Zavio cameras in North America, has been notifying customers that Zavio cameras are no longer available and recommending alternative brands.

The Disclosure Process

It’s worth noting that the vulnerabilities were discovered in late 2022, but the disclosure process was delayed due to the vendor’s failure to respond and the time it took for CISA to verify the vulnerabilities. BugProve has already published a blog post with technical details, and CISA is expected to release its own advisory soon.

Implications and Analysis

Internet of Things Security

The vulnerabilities found in Zavio security cameras highlight the ongoing challenges posed by the security of Internet of Things (IoT) devices. As IoT devices become more prevalent in our everyday lives, it is imperative that manufacturers prioritize security measures to protect against potential threats. The Zavio case serves as a reminder that even devices from defunct companies can still pose serious security risks if not properly addressed.

The Importance of Timely Patching

The inability to patch the identified vulnerabilities in the Zavio cameras underscores the significance of timely software updates and ongoing support from manufacturers. When vulnerabilities are discovered, it is crucial for vendors to promptly release patches to address the flaws and protect users. Users, on the other hand, must prioritize updating their devices to the latest firmware versions to ensure they are safeguarded against known vulnerabilities.

Securing IoT Devices

To mitigate the risks associated with IoT devices, there are several measures that both manufacturers and users should take:

Manufacturers:

• Implement secure coding practices during the development of IoT devices to minimize the potential for vulnerabilities.
• Regularly perform security assessments and penetration testing on their products to identify and address any weaknesses.
• Provide timely and regular firmware updates to patch known vulnerabilities and protect devices from emerging threats.
• Establish clear channels of communication with security researchers and promptly respond to vulnerability reports.

Users:

• Regularly update their IoT devices with the latest firmware versions provided by the manufacturer.
• Change default passwords and use strong, unique passwords for each device.
• Segment IoT devices from the rest of the network to minimize the potential impact of a compromised device.
• Regularly monitor device activity, such as outbound network connections or unauthorized access attempts.
• Educate themselves about the potential risks and best practices for securing IoT devices.

Editorial Opinion

The discovery of vulnerabilities in Zavio security cameras highlights the ongoing challenges in securing IoT devices. It is concerning that these vulnerabilities were discovered in late 2022, yet it took an extended period of time for the disclosure and verification process to be completed. This delay underscores the need for improved communication and coordination between security researchers, vendors, and government agencies to ensure that potential risks are promptly addressed.

Furthermore, the lack of patching options for the impacted Zavio cameras due to the company’s closure raises questions about the longevity and supportability of IoT devices. Manufacturers must take responsibility for supporting their products throughout their lifespan, even if they go out of business. This would require companies to establish clear protocols for handling vulnerabilities and providing necessary patches and updates, regardless of their corporate status.

Users, on the other hand, should prioritize investing in IoT devices from reputable manufacturers that demonstrate a commitment to security and ongoing support. Additionally, users must be proactive in updating their devices to the latest firmware versions and following best practices to secure their IoT devices and networks.

Overall, the Zavio security camera vulnerabilities serve as a reminder of the challenges that lie ahead in securing the rapidly expanding IoT landscape. It is crucial that all stakeholders, including manufacturers, users, and government agencies, work together to implement robust security measures and ensure the long-term safety and trustworthiness of IoT devices.