?auth=YWRtaW46MTEK and a million open cameras

A million-plus internet-facing baby monitors and IP cameras have been viewable by unauthenticated remote attackers at various points across the last decade. The pattern is consistent. Authentication bypass on the embedded web server. Hardcoded credentials in firmware. Broken P2P relay protocols that expose live RTSP streams to anyone who can enumerate a device UID. Cleartext MQTT or proprietary keep-alive traffic to a vendor cloud that performs no client-side identity check. The class of bug is not advanced. It is shipped at scale by ODMs and rebranded by hundreds of consumer labels.

The canonical case is CVE-2017-7921. Hikvision IP cameras and NVRs running firmware versions in the V5.2.0 through V5.4.x range exposed an authentication bypass in the web interface. CVSS v3 base score 9.8. The mechanism was an improperly validated query string parameter. Appending ?auth=YWRtaW46MTEK - base64 for admin:11\n - to a privileged endpoint allowed the request to be processed without session validation. The server’s auth middleware checked for the presence of the parameter, not the validity of the credentials encoded inside it. An unauthenticated remote attacker could list users, retrieve password hashes, fetch the configuration file, and pull live video. The bug class is CWE-287, improper authentication. It is an authorisation logic error in the request handler - the kind of flaw a fuzzer doesn’t find because the endpoint returns 200 on malformed input.

Four years later the same vendor shipped CVE-2021-36260. CVSS 9.8. Unauthenticated command injection in the web server’s PUT handler for the language configuration endpoint. The vulnerable parameter was passed unsanitised to a shell context inside the device’s firmware. Remote attackers issued a single crafted HTTP request and obtained root on the camera. From root on a camera, the attacker has a Linux endpoint inside the victim’s LAN with a network interface, a kernel with iptables, and frequently a writable /tmp where additional tooling lands. Mass scanning for this CVE on port 80 and 8000 was observed within weeks of disclosure. Mirai variants integrated a CVE-2021-36260 module almost immediately.

Dahua devices carry their own history. CVE-2021-33044 and CVE-2021-33045 are authentication bypasses in the Dahua DHIP private protocol - the binary protocol Dahua devices use on TCP 37777. The flaw lived in the login state machine. A specially crafted NetKeyboard or loopback login packet placed the session into an authenticated state without supplying a valid credential. From there, full device control was available, including snapshot retrieval, configuration export, and stream subscription. The protocol is not HTTP. It does not appear in web-focused scanners. It appears in netflow as outbound or inbound TCP 37777, often from residential ASNs to consumer-grade ISPs.

TBK DVR devices and a long list of rebrands shipped CVE-2018-9995. CVSS 9.8. The device read a Cookie header named uid and trusted its content as an authenticated identity. A request with Cookie: uid=admin returned the device’s stored credential set in cleartext JSON. The fix on most affected lines never reached deployed firmware because the integrator never pushed an update path. Internet-exposed devices are still vulnerable at the time of writing.

The second failure mode is P2P relay. Most consumer cameras do not require port forwarding. They reach a vendor-operated relay using a UDP-based protocol - iLnkP2P, CS2 Network’s P2P, ThroughTek Kalay, Shenzhen Yunni’s protocols. The device registers with a UID, often printed on a sticker on the device. A mobile app queries the relay using the same UID and a paired password. The protocols failed in three ways. UIDs were enumerable because they followed a structured prefix-plus-sequential pattern. Authentication on the relay verified knowledge of the UID, not knowledge of any device secret. Encryption was either absent or used a fixed key shipped in firmware.

Paul Marrapese’s 2019 research on iLnkP2P quantified one slice. Approximately 2 million devices were reachable through the relay with no effective authentication beyond UID guessing. CVE-2019-11219 and CVE-2019-11220 covered the enumeration and traffic interception components. Devices included baby monitors marketed under HeroSpeed, VStarcam, Wanscam, Eye Sight, and dozens of Amazon-listing-only brands. The traffic between the camera and the relay was either cleartext or obfuscated with a constant XOR key. An attacker positioned to observe relay traffic - or simply registering as a client with the right UID - pulled live H.264 streams.

Mandiant disclosed the ThroughTek Kalay flaws in 2021. CVE-2021-28372. The Kalay protocol allowed a client to register a device UID on the relay and intercept subsequent legitimate connections to that UID. The attacker needed only the UID and the ability to register first. Audio and video were retrievable. Tens of millions of devices were estimated to be reachable through Kalay at disclosure time.

The third failure mode is the credential floor. Mirai-class infection of camera and DVR devices in 2016 ran on Telnet port 23 with a list of 62 default credential pairs. Most devices were not running Telnet because the user enabled it. They were running Telnet because the ODM left it on and the integrator did not disable it before shipping. The credentials were not just admin:admin. They were root:xc3511, root:vizxv, root:juantech - strings hardcoded into the firmware of specific Hi3518-based and similar SoCs. Resetting the admin password through the web UI did not affect the Telnet credential. The attack required no exploit. It required a connect, a banner read, and a credential pair from a static list. MITRE T1078.001, default accounts.

What this produces in telemetry depends on where the sensor sits. On a residential network, there is no telemetry. The camera is the endpoint and there is no EDR. On a corporate network with an IoT VLAN, the indicators are visible at the perimeter. Outbound UDP to known P2P relay infrastructure - ThroughTek’s *.iotcplatform.com, iLnkP2P’s relay ranges, CS2 Network’s relay nodes. Outbound TCP 37777 to non-vendor destinations. Inbound TCP 80 and 8000 from scanner ranges hitting /SDK/webLanguage, /onvif-http/snapshot, or /PSIA/Custom/SelfExt/userCheck. Sysmon does not see these because the camera is not running Sysmon. The SIEM sees them only if firewall logs forward to it and someone wrote a correlation rule. Most do not.

The perimeter signature for CVE-2021-36260 exploitation attempts is a PUT to /SDK/webLanguage with a body containing shell metacharacters in the <language> element. The signature for CVE-2017-7921 is a GET with auth=YWRtaW46MTEK or any base64 variant in the query string. Suricata and Snort rulesets from Emerging Threats cover both. They fire on egress from internal scanners and on ingress against exposed devices. They do not fire on devices behind NAT being exploited through compromised relay infrastructure, which is the more common case for residential targets.

The real-world exploitation context is broad. Insecam and Shodan have surfaced unauthenticated camera streams continuously since 2014. Mirai, Mozi, Gafgyt, and their descendants pull cameras into DDoS botnets. Initial access brokers list lots of compromised DVR and NVR devices on Russian-language forums. Stalkerware operators trade access to specific UIDs of compromised baby monitors. The use case at the high end is residential surveillance and proximity to a target. The use case at the low end is botnet conscription and crypto mining on devices with enough flash to hold a payload.

The technical reality after patching is partial. Hikvision and Dahua firmware updates close the named CVEs on devices that receive them. Most consumer rebrands of the same ODM hardware never receive a corresponding update because the integrator’s relationship with the upstream OEM does not include a security update channel. The P2P protocols have been revised - Kalay rotated keys, iLnkP2P partially deprecated - but devices already deployed continue to use the original handshake because the firmware that speaks the new handshake never lands. Disabling UPnP on the home router removes some exposure. Putting the camera on an isolated VLAN with no internet egress removes most. Neither is the default configuration shipped by any major consumer brand. The exposure persists because the economic model for these devices does not include a security maintenance budget after the unit ships. That is the residual condition. The CVE numbers change. The class does not.