Tenvis JPT3815W camera gets firmware update to, still a threat to your privacy

21 July 2014

It has been more than two weeks since my findings regarding the vulnerabilities of the Tenvis JPT3815W network camera. Since then, these findings were re-posted and verified by other individuals like Craig Russel and thus far it was discovered that this vulnerability exists only in the firmware. Thankfully, Tenvis took this more seriously, especially after Craig twitted them about this issue and they promised a fix. And indeed they did issue a fix, or at least they tried to. On 4th of July, I emailed them again, inquiring about a firmware update. Here’s their answer:

Dear Customer,

Greetings from TENVIS! This is Bruce from TENVIS custom service. We are very pleased to assist you to solve the problem.

Here is new firmware you need to upgrade.

Please download both of them.

Please use the small file to upgrade first. After small file upgrading succeed, please use big file to upgrade.

After upgrading both, please refresh camera’s web page to check camera’s firmware version which should be new version

small file http://apps.tenvis.com/download/small.update

big file http://apps.tenvis.com/download/big.update

This update, adds user authentication prompts in the /snapshot.cgi so it’s not so easy anymore to watch a live frame from the camera or…. is it? Read more to find out!

As for the /get_params.cgi, which used to return the wifi password and more, it is still visible to everyone, but at least they have hard-coded a “0000” string to where the actual local wireless network password was. The local network’s SSID is still visible. This solution does not amaze me to be honest, but since I have not found any obvious dangers with this approach, I will settle with it for the time being.

Next, I tried again to see if I can make sense of their SDK and still found that impossible. The vast majority of their interfaces do not work, at least for my model/firmware. I messaged them again, insisting for them to give me a way to get a video stream out of it. They replied and mentioned that I can access a “video” (mjpeg to be more precise) stream at /vjpeg.v. Indeed, using my camera’s URL and appending the above string to it, returns an mjpeg stream, which by the way I could not view in Google Chrome for some reason but only in Firefox and Opera. (VLC works as well) Unfortunately, no authentication is needed for this stream, so again ANYONE can watch your camera’s live feed. This method makes things easier for the attacker since he will not have to compose the video himself/herself, by getting a sequence of snapshots and merging them together. Tenvis was emailed instantly about this, however they simply replied they would fix it this issue in the next version… Moreover, googling around about “/vjpeg.v”, I found out the Tenvis’ Forum user “securitycam” had already discovered this vulnerability regarding /vjpeg.v and also pointed out the lack of authentication, but Tenvis chose once again to ignore him.

To conclude, these cameras are performing alright for their price, but are documented poorly, supported inadequately and proved to pose a security threat to your privacy. Avoid unless you don’t mind taking those risks!