An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device uses a custom UDP protocol to start and control video and audio services. The protocol has been partially reverse engineered. Based upon the reverse engineering, no password or username is ever transferred over this protocol. Thus, one can set up the camera connection feed with only the encoded UID. It is possible to set up sessions with the camera over the Internet by using the encoded UID and the custom UDP protocol, because authentication happens at the client side.
The Alecto IVM-100 camera communicates with clients using its own UDP protocol, in which authentication is performed only on the client side. During session establishment, the protocol never transmits a username or password — the only required element is an encoded device UID. Once this identifier is obtained or guessed, it is possible to establish a session with the camera directly over the Internet without any identity verification. The protocol was partially reverse-engineered, which confirms the absence of authentication mechanisms.
An attacker can gain unauthorized access to the video and audio stream of the camera, leading to a breach of privacy of the monitored area. Depending on the deployment context, this can result in a complete loss of confidentiality of surveillance footage.
Patches available from the manufacturer should be applied according to references. As a workaround, it is recommended to isolate cameras from direct Internet access by placing them behind a firewall or in a VPN network, and to restrict UDP traffic to trusted IP addresses.
Alecto IVM-100 devices with firmware dated 2019-11-12
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H