VR Model P1 - 360 Degree Camera

VR Model P1 - 360 Degree Camera


buspirate

What is a VR Camera?

In photography, an omnidirectional camera, or “Omni” for all-encompassing, is a camera equipped with a 360-degree field of view in the horizontal plane. This capability allows for a visual field that covers the entire sphere, approximately. Such cameras are crucial in areas requiring broad visual coverage, like panoramic photography and robotics.

VR CAM P1 Proxy Eye Fisheye Camera IP 3D VR 360 Degree Panoramic 960P Wi-Fi CCTV Camera With SD Memory Card Slot Multi Viewing Mode

Features of the VR CAMERA:

  • Brand: VR CAM
  • Model: P1
  • Product Dimension: 15 x 15 x 5 cm
  • Resolution: 960p
  • Android/iOS Devices Additional Features
  • Additional features:
    • 360 Degree Panorama + 3D VR + WIFI & Wired RJ45 + TF Card Slot + Two Way Audio
    • Multi Angle Monitor: Mode 1: Electronic PTZ, Mode 2: Panoramic, Mode 3: Corridor, Mode 4: Traditional Split Screen,
    • 1/3 Inch CMOS Sensor, Resolution: 1536 x 1536, Lens 1.19mm Visual Angle 360 degree, 3MP HD
    • One Camera = 4 to 6 piece common camera
  • Optical Zoom: 16 X
  • Connector Type: Wireless, Wired
  • Material: Plastic
  • Lens Type: Fisheye
  • Voltage: 12 Volts
  • Wattage: 130

For configuring the device, follow the document: Device Configuration Guide

Security Assessment Overview

During the security assessment, I connected the device via Ethernet, which assigned it an IP address. A scan of this IP address revealed several open ports, including 21 (FTP), 23 (Telnet), and 6789. Notably, port 21 permitted anonymous FTP access, allowing direct access to the device’s filesystem.

Findings

  • FTP Access: The device’s filesystem was accessible without authentication via FTP, revealing firmware details and allowing for firmware downloads.
  • Filesystem Analysis: Deep analysis of the downloaded firmware exposed hardcoded credentials within the etc/password and etc/shadow files, as well as MD5 hashed passwords. Additionally, JFFS filesystem files contained remote FTP server IP information and credentials.
  • Wi-Fi Password Exposure: The router’s Wi-Fi password was found in plaintext within the /tmp/wifi_info directory.
  • Web Interface Vulnerability: The device’s web interface was susceptible to unauthorized access. It was possible to bypass login credentials and directly access the admin control panel by navigating to specific URLs, such as http://192.168.0.185/view.html.

This detailed assessment underscores the critical importance of stringent security practices in the development and deployment of IoT devices. The vulnerabilities identified, ranging from unauthorized access to sensitive information disclosure, highlight the potential risks associated with inadequate security measures.

© 2024 Mr-IoT