Seems the Cam is highly Vulnerable to security risks in the used P2P implementation found by Paul Marrapese
Being honest i have just waited for something like this to appear because of the strange UDP Hole Punching P2P Protocol used. Blocking UDP Traffic on Port 31200 should „solve“ the problem if you dont need the Cloud connectivity, but i would prefer to simply not use that cameras anymore.
Some months ago a purchased an Escam G02 from Banggood for approx. 18€.
Some days after that Pierre Kim released a paper which showed horrible security flaws in millions of Wifi Webcams, of course after reading this i asked myself if the Escam G02 is also affected.
After getting the cam i started digging. Please keep in mind that i am no pro security researcher, but i think i digged deep enought.
Web Interface Security
The Webinterface looks horrible and is „secured“ by the standard admin/admin combo but the rest looks okay. Also it does not feature TLS. Mostly everything is controlled by a cgi script called params.cgi. I was not able to find any problems with that but who knows. Nevertheless the WebIF uses Basic auth but the Password is only base64 encoded, so a MitM could easily retrieve the credentials. If you really want to expose the WebIF to the internet you should change all Passwords (yep there are more that one for the admin) and use the cam behind a SSL Proxy.
Now its time to see which ports are open on this device. Open Telnet would be the worst case. But don’t worry haven’t found that. There are 4 ports open: 80 (WebIF), 554 (rtsp), 1935 (rtmp), 8080 Onvif. No more open ports to find.
Serial Debug port
I thought maybe i could gather shell access by finding Serial debug port. There really is one labeled J3 on the PCB. Pin 1 is TX, Pin 2 is Ground, couldnt figure out where RX was. Port uses standard 115200 baud 8N1. Didnt matter what i have tried, i was not able to stop the automatic boot.
Here is a boot log if someone is interested:
Bigger problem for my is the Cloud Service aka P2P Service so you can use Camera with the CamHi App. This protokol uses UDP hole punching to convert your firewall into swiss cheese. If deactived it does not contact any Servers, but than you also cant use the CamHi app. Fortunately this cam does not send all their config data to the server like the cams that Pierre Kim has watched over. The cam contacts these Server if you activate the P2P feature:
184.108.40.206 (Alibaba use for FW Upgrades which do not use TLS 😉 )
220.127.116.11 (Amazon Singapore)
18.104.22.168 (Amazon EC2)
I have not checked what the app transmits till now, if someone is interested i could do it in the future. Do youreself a favor and disable that feature, maybe also think of disabling DHCP and give the cam a false Gateway address so it cannot phone home.
For 18€ the cam is okay and not a complete security mess. Okay i cannot understand why it is not possible to use TLS for Software updates and the Webif but at least there is no open Telnet or vulnarable FTP Scripts.
If you only use the cam in your LAN through a VPN and disable the P2P feature you are good to go. If you are more paranoid block the cam from the internet by your firewall.