Hidden cameras, also called spy cameras, are surveillance tools commonly used to spy on people without their knowledge. Whilst previous studies largely focused on investigating the detection of such a camera and the privacy implications, the security of the camera itself has received limited attention. Compared with ordinary IP cameras, spy cameras are normally sold in bulk at cheap prices and are ubiquitously deployed in hidden places within homes and workplaces. A security compromise of these cameras can have severe consequences. In this paper, we analyse a generic IP camera module, which has been packaged and re-branded for sale by several spy camera vendors. The module is controlled by mobile phone apps. By analysing the Android app and the traffic data, we reverse-engineered the security design of the whole system, including the module's Linux OS environment, the file structure, the authentication mechanism, the session management, and the communication with a remote server. Serious vulnerabilities have been identified in every component. Combined together, they allow an adversary to take complete control of a spy camera from anywhere over the Internet, enabling arbitrary code execution. This is possible even if the camera is behind a firewall. All that an adversary needs to launch an attack is the camera's serial number, which users sometimes unknowingly share in online reviews. We responsibly disclosed our findings to the manufacturer. Whilst the manufacturer acknowledged our work, they showed no intention to fix the problems. Patching or recalling the affected cameras is infeasible due to complexities in the supply chain. However, it is prudent to assume that bad actors have already been exploiting these flaws. We provide details of the identified vulnerabilities in order to raise public awareness, especially on the grave danger of disclosing a spy camera's serial number.

翻译：隐蔽摄像头（亦称间谍摄像头）是一种常被用于未经许可监控他人的监视工具。过往研究主要聚焦此类摄像头的检测方法及隐私影响，而摄像头自身安全性问题尚未得到充分关注。相较于普通IP摄像头，间谍摄像头通常以低价批量销售，并被广泛安装于家庭及工作场所的隐蔽位置。若此类摄像头遭入侵，将引发严重后果。本文对某款被多家间谍摄像头厂商贴牌销售的通用IP摄像头模组展开分析。该模组通过手机应用程序进行控制。通过逆向分析安卓应用程序及通信数据，我们还原了整个系统的安全设计，涵盖模组的Linux操作系统环境、文件结构、认证机制、会话管理体系，以及与远程服务器的通信协议。经检测，各组件均存在高危漏洞，攻击者可组合利用这些漏洞，通过互联网从任意位置完全控制目标摄像头并实现任意代码执行——即便摄像头处于防火墙保护之下亦可实现。攻击者仅需获取摄像头的序列号（用户常在商品评价中无意泄露该信息）即可发动攻击。我们已向制造商负责任地披露发现，对方虽确认研究成果，但未展示修复意向。由于供应链复杂性，对受影响产品进行补丁修复或召回已不可行。然而，有理由认定恶意行为者早已利用这些漏洞。本文公开漏洞详情旨在提升公众警惕性，尤其是警示泄露间谍摄像头序列号的重大安全风险。