FLIR Thermal Traffic Cameras RTSP Stream Disclosure Vulnerability

A vulnerability in FLIR thermal traffic cameras allows remote access to live video streams without authentication. This issue affects multiple camera models and versions, including TrafiOne, TI BPL2 EDGE, TI x-stream, ThermiCam, TrafiSense, and TrafiRadar. The vulnerability arises from the cameras' exposure of RTSP streaming URLs and other video endpoints, enabling unauthorized users to retrieve video feeds and snapshots directly.

Impact

Exploitation of this vulnerability leads to unauthorized access to live video streams and snapshots from the affected cameras.

Reproduction

The vulnerability can be reproduced by accessing the camera's video stream endpoints, such as '/live.mjpeg', '/snapshot.jpg', or the RTSP streaming URLs, without any authentication. This can be done using a web browser or a media player that supports RTSP, such as VLC.

Remediation

FLIR has released firmware updates to address this vulnerability. Users should upgrade to the latest version available for their camera model.