Monday, June 04, 2007

Siemens gigaset WLAN camera Security problem

The Siemens gigaset WLAN camera has a big security problem.
Telnet and FTP, port 23 and 21, are completely open to this camera. Anyone can connect to yourcameraIP:23 with a telnet client as root and access the linux router running in the camera without even the need for a single password.
On connecting the camera returns:

Linux 2.4.19-uc1 (SI4e7141) (ttyp0)


SI4e7141 login: root
Welcome to
_ ____
____ ____ __| |___ ____ _ _ \ /
/ __]___ \/ _ | _ \| __ \| | | ||\\//|
| (__( (_) )(_) |(_)_) | | | |_| ||//\\|
\____]\___/\___/\____]_| |_|\____| /__\

Embedded Linux Solutions

For further information see:
http://www.cadenux.com/web/bsp



BusyBox v0.60.3 (2005.08.22-11:11+0000) Built-in shell (msh)
Enter 'help' for a list of built-in commands.

help does not work.
# help
help: not found
#


Possible commands are:

cat
cd
date
df
du
echo
exit
free
hostname
ifconfig
kill
killall
ls
lsmod
mount
nslookup
ping
ps
pwd
reboot
route
set
uptime
whoami



The password of the wireless network is then clearly revealed in a 'file' and open to any visitor who has the capability to use a Linux terminal. Read the 'password file' with the cat command.
No password needed. Ever.

It seems Siemens has no clue about network security. Siemens has no firmware upgrade even though adding a secret password to user root is essential for this to be a usable and save product. Be warned, don't use this camera without adding a firewall.