Storm on the Horizon: Inside the AJCloud IoT Ecosystem
On September 19, 2024, an extensive security investigation into the AJCloud IoT platform uncovered serious vulnerabilities affecting millions of Wi-Fi cameras sold by various vendors.
Introduction
On September 19, 2024, an extensive security investigation into the AJCloud IoT platform uncovered serious vulnerabilities affecting millions of Wi-Fi cameras sold by various vendors. These cameras, popular for their affordability and convenience, are at risk of being exploited by attackers who could gain unauthorized access to video streams, personal information, and even full control of the devices.
Report Overview
AJCloud, a Nanjing-based company, supplies security cameras, firmware, mobile and desktop applications, and cloud services to numerous vendors, including Wansview, Faleemi, and Galayou. Their products are distributed globally through major e-commerce platforms like Amazon. Despite the security best practices applied in some areas, AJCloud's cameras are vulnerable to several critical weaknesses, primarily stemming from the platform's access control flaws.
The investigation, initiated by security researchers during the Elastic ON Week event, focused on the Wansview Q5 camera. However, it soon became apparent that the vulnerabilities discovered applied to a wide range of AJCloud-powered devices.
The research began with network reconnaissance on the Wansview Q5, examining both active and passive communications between the camera and the AJCloud platform. Initial attempts to intercept these communications were largely thwarted by robust security mechanisms like certificate pinning and encrypted connections. Despite this, the researchers persisted by reverse-engineering the mobile and desktop apps used to control the cameras.
The breakthrough came through an analysis of the older Windows version of the Wansview Cloud app. Overly verbose logging revealed sensitive information, including user credentials in cleartext, as well as metadata from camera sessions such as location, network configurations, and device IDs. By manipulating these logs, the researchers were able to remotely access and control multiple cameras through their device IDs.
Further investigation revealed that the AJCloud platform uses the Peer-to-Peer (P2P) protocol for camera control, which allowed attackers to exploit the system by manipulating UDP traffic and issuing commands like panning the camera, rebooting it, or crashing its firmware. The most critical vulnerability was a command that modified the camera’s configuration file, effectively bricking the device by corrupting its startup routine.
Insights and Analysis
The flaws exposed by the research indicate a significant risk for millions of cameras connected to the AJCloud platform. Attackers could gain access to sensitive user information and control over camera hardware, allowing them to spy on individuals and businesses without detection. While AJCloud has attempted to address some of these vulnerabilities in the past, the scope of the issues revealed is vast and requires immediate attention.
Without a resolution, affected devices pose a security risk not only to the individuals using them but to the broader networks they are connected to. The potential for lateral movement from compromised IoT devices to more critical systems cannot be ignored.
To mitigate the risks posed by these vulnerabilities, it is strongly recommended that users take steps to segment their IoT devices from critical network systems. While segmenting Wi-Fi cameras from the rest of a home or business network is a sound strategy, it will not fully eliminate the risk posed by the AJCloud platform vulnerabilities. Furthermore, open-source firmware alternatives like OpenIPC or thingino can offer a more secure solution by giving users control over device configurations and removing the need for constant connectivity to vendor cloud platforms.
The vulnerabilities uncovered in the AJCloud platform highlight the ongoing security challenges within the IoT space, especially with devices as widespread as Wi-Fi cameras. Given the sheer number of devices affected, the potential impact is global in scope. It is imperative that vendors, users, and the security community work together to patch these flaws and prevent future exploitation.
For detailed technical analysis and proof-of-concept tools, please visit the full report and scripts on the researchers’ GitHub repository.
Indicators of Compromise (IOC)
| Indicator | Type | Description |
|---|---|---|
| No specific Indicators of Compromise (IOCs) were provided in the source material. |
MITRE ATT&CK
| Tactic | Technique | ID | Description |
|---|---|---|---|
| Initial Access | Exploit Public-Facing Application | T1190 | Potential exploitation of publicly exposed AJCloud services. |
| Execution | Command and Scripting Interpreter: Unix Shell | T1059.004 | Using root shell access via UART to execute firmware commands. |
| Persistence | Boot or Logon Autostart Execution | T1547.001 | Manipulating device configuration for persistence through UART. |
| Impact | Firmware Corruption | T1495 | Bricking cameras by corrupting firmware configuration files. |
References
Mark Mager
Comments ()