FLIR Thermal Traffic Cameras WebSocket Unauthenticated Device Manipulation Vulnerability

A vulnerability allowing unauthenticated manipulation of device settings has been identified in FLIR thermal traffic cameras. This issue arises from an insecure implementation of WebSocket communication in various models, including TrafiOne, ThermiCam, TrafiSense, and others. The vulnerability allows attackers to bypass authentication and authorization, directly alter device configurations, access sensitive system information, and potentially cause a denial-of-service by sending crafted WebSocket messages. Additionally, the lack of support for secure WebSocket connections exposes plain-text traffic to potential interception.

Impact

Exploitation of this vulnerability could lead to unauthorized modification of device settings, disclosure of sensitive system information, and initiation of a denial-of-service condition by causing the device to reboot.

Reproduction

The vulnerability can be reproduced by establishing a WebSocket connection to the device's WebSocket endpoint without authentication. Once connected, an attacker can send messages to the device that correspond to various command types recognized by the WebSocket API. This includes messages that can alter device settings or initiate a reboot, thereby causing a denial-of-service condition.

Remediation

FLIR has released firmware updates to address this vulnerability. Instructions for applying the update can be found on the FLIR website.