1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

Does the Shellshock bug affect IP cameras?

You may be aware of the ‘Shellshock’ bug or ‘Bashbug’ which was recently discovered in Linux operating systems. Many of the web servers on the Internet use Linux to host websites or web applications. By the same token, most IP cameras use the same technologies as part of their on-board operating systems and therefore may pose a hacking risk to your organisation.

We have been asking the IP camera manufacturers we work with for advice on this issue.

The first to respond was Axis Communications, who have confirmed that their IP cameras are not vulnerable to this bug since Axis IP cameras do not use bash.

What’s the risk?

The bash bug works by allowing an attacker to send a request to a web server (one that uses bash to interface with the operating system) using an internal system variable with malformed data. This can be used to trick bash into treating the request as a command, which is in turn executed as part of a normal request. This is a particularly easy bug to exploit and we understand the importance of ensuring that cameras we supply are free from this vulnerability.

We are confirming with other IP camera manufacturers where they stand on this bug and will update this blog post as we get the answers.

Update – manufacturers who have now confirmed their products are unaffected are as follows:

Axis Communications
Arecont Vision
NUUO (hotfix available)
QNAP (firmware update now available)

Published on September 29th, 2014 by Kevin Bowyer

Comments are closed.