A while ago I received an Edimax Webcam, the IC-7000 PTn v3 to test for possible vulnerabilities. So I updated to the latest available firmware version, which is v1.7.
A quick portscan shows the following ports open:
PORT STATE SERVICE VERSION
80/tcp open http GoAhead-Webs embedded httpd
| HTTP/1.1 401 Unauthorized
|_ Basic realm=Network Camera
|_http-methods: No Allow or Public header in OPTIONS response (status code 400)
| http-title: Document Error: Unauthorized
|_Requested resource was http://192.168.178.16/index.htm
554/tcp open http GM Streaming Server httpd
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: Site doesn't have a title (text/html).
|_ DESCRIBE, SETUP, TEARDOWN, PLAY
4321/tcp open rwhois?
4322/tcp open unknown
It shows that the Real Time Stream Protocol (RTSP) port is open to anyone on the network, including its methods: DESCRIBE, SETUP, TEARDOWN and PLAY.
By default RTSP is configured to listen on TCP port 554 with the following settings:
Please note the paths for both MPEG4 and H264, these are required to stream the video and will be used in order perform the authentication bypass on Edimax Webcam.
VLC Player is used to bypass the authentication (there’s simply no authentication) to stream the video from the Edimax Webcam:
Enter the IP address, the RTSP port and filename and click play. Now the video stream is played, unauthenticated to anyone on the network.
Currently the only way to avoid the authentication bypass is to use long and non-guessable filenames, which in itself is not much of a protection.