Finding (and exploiting) vulnerabilities on IP Cameras: the Tenda CP3 case study

TL;DR

This paper presents a comprehensive methodology for analyzing IP camera firmware to identify security vulnerabilities, demonstrated through a case study on the Tenda CP3 camera where five new CVEs were discovered.

Contribution

It introduces a novel analysis approach focusing on malicious invocation sequences and automates parts of the process with custom tools, advancing security assessment techniques for IP cameras.

Findings

Identified five new CVEs in Tenda CP3 cameras.

Developed a custom analysis tool based on Ghidra.

Demonstrated the effectiveness of the methodology in real-world firmware analysis.

Abstract

Consumer IP cameras are now the most widely adopted solution for remote monitoring in various contexts, such as private homes or small offices. While the security of these devices has been scrutinized, most approaches are limited to relatively shallow network-based analyses. In this paper, we discuss a methodology for the security analysis and identification of remotely exploitable vulnerabilities in IP cameras, which includes static and dynamic analyses of executables extracted from IP camera firmware. Compared to existing methodologies, our approach leverages the context of the target device to focus on the identification of malicious invocation sequences that could lead to exploitable vulnerabilities. We demonstrate the application of our methodology by using the Tenda CP3 IP camera as a case study. We identified five novel CVEs, with CVSS scores ranging from 7.5 to 9.8. To partially automate our analysis, we also developed a custom tool based on Ghidra and rhabdomancer.