BS Producten Petcam Incorrect Access Control Vulnerability Allowing Unauthenticated Access to Live Streams

A vulnerability allowing incorrect access control has been identified in BS Producten Petcam version 33.1.0.0818. This issue arises when the device is in 'Local Mode', which broadcasts an unencrypted Wi-Fi access point. An unauthenticated attacker in physical proximity can connect to this open network and gain access to the camera's private network interface. This access allows the retrieval of sensitive information, including live video and audio streams, without the need for credentials.

Impact

Exploitation of this vulnerability leads to unauthorized access and information leakage, allowing interception of unencrypted network traffic and access to internal APIs for further exploitation.

Reproduction

To reproduce this vulnerability, activate the 'Local Mode' on the BS Producten Petcam. Once the device is broadcasting an open Wi-Fi network, connect to it. After establishing a connection, an IP address is assigned via DHCP, providing access to the camera's control and streaming services. The RTSP stream on port 554 and the custom API on port 8001 can be accessed immediately, with the live video feed available without authentication.

Remediation

It is recommended to implement mandatory encryption by default for the 'Local Mode' access point, using WPA2 or WPA3. Additionally, each device should have a unique password for authentication, and all internal services should require individual authentication, even when accessed over the local network.