Threat researchers at cybersecurity firm GreyNoise Intelligence discovered two security vulnerabilities in live-streaming cameras used in such sectors as industrial operations and health care that could have let the bad actors gain complete control over the Internet of Things (IoT) devices.

The researchers wrote in a report this week that the threat was detected after an attacker tried to execute an exploit against the vendor’s Sift honeypot. The hacker had developed and automated a zero-day security flaw that sought out and targeted IoT devices, including such cameras.

However, while the GreyNoise analysts noted the discovery of the two vulnerabilities – tracked as CVE-2024-8956 and CVE-2024-8957 – what’s particularly notable is that it was an internal and proprietary AI technology that detected them.

“This marks one of the first instances where threat detection has been augmented by AI to discover zero-day vulnerabilities,” they wrote. “By surfacing malicious traffic that traditional tools would have missed, GreyNoise successfully intercepted the attack, identified the vulnerabilities, and reported them before they could be widely exploited.”

They added that such a proactive approach that combines AI-powered detection with expert human analysis showed that “AI can dramatically accelerate the discovery of vulnerabilities — making the internet safer, one discovery at a time.”

An AI-Powered Honeypot

GreyNoise’s Sift is powered by large language models (LLMs) that are trained on a massive amount of internet traffic – including which targets targeting IoT devices – that can identify anomalies in the traffic that traditional system could miss, they wrote. They said Sift can spot new anomalies and threats that haven’t been identified or don’t fit the known signatures of known threats.

The honeypot analyzes real-time traffic and uses the vendor’s proprietary datasets and then runs the data through AI systems to separate routine internet activity from possible threats, which whittles down what human researchers need to focus on and delivers faster and more accurate results.

“In this case, Sift flagged unrecognized traffic that had not been tagged as a known threat,” they wrote. “This caught the attention of GreyNoise researchers, who further investigated the unusual traffic. Their investigation led to the discovery of two previously unknown zero-day vulnerabilities in live streaming cameras.”

Complete Device Takeover Possible

According to the researchers, the vulnerabilities could let threat actors gain complete control of the cameras, view or manipulate the video feeds, disable the cameras’ operations, and pull the devices into larger botnets that can then be used to launch denial-of-service (DoS) attacks.

GreyNoise said hackers exploiting the vulnerabilities could have compromised NDI-enabled pan-tilt-zoom cameras from multiple manufacturers. The affected cameras feature an embedded web server that allow for direct access via a web browser and tend to be deployed where reliability and privacy are critical, they wrote.

Such environments include industrial and manufacturing plants for observing machinery and quality control, business conferencing rooms for video streaming and remote presentations, health care facilities for telehealth or surgical livestreams, courtrooms, and places of worship.

Inadequate Authentication, Command Injection

CVE-2024-8956, which comes with a 9.1 out of 10 severity rating, exploits inadequate authentication and could let an attacker access sensitive information, including usernames, MD5 password hashes, and configuration data. The researchers said MD5 hashes are known to be insecure and hackers who crack them can gain administrative access.

Exploiting CVE-2024-8957 – with a 7.2 severity rating – a bad actor can execute arbitrary operating system commands and let them seize full control of the cameras.

In addition, by combining the security flaws, “an attacker could extract network details, including IP addresses, MAC addresses, and gateway configurations, potentially leveraging this information to pivot and move laterally into the device’s local network,” the researchers wrote. “This could potentially compromise other systems on the same network, which could lead to broader data breaches or even the spread of ransomware.”

IoT a Fast-Growing Security Problem

The discovery of the vulnerabilities highlights the larger security issues for an IoT environment that number 18 billion devices worldwide this year and could grow to 32.1 billion by 2030.

“Industrial and critical infrastructure sectors rely on these devices for operational efficiency and real-time monitoring,” the GreyNoise researchers wrote. “However, the sheer volume of data generated makes it challenging for traditional tools to discern genuine threats from routine network traffic, leaving systems vulnerable to sophisticated attacks.”

The FBI in September dismantled a botnet operated by Chinese threat group Flax Typhoon that comprised as many as 200,000 IoT devices – including small office/home office (SOHO) routers, firewalls, and network-attached storage (NAS) – and was used to attack critical infrastructure operations, corporations, universities, and government agencies in the United States and elsewhere.

The ability of GreyNoise’s AI-based tool illustrated the central role the emerging technology will play in detecting and mitigating the rising tide of cyberthreats that take advantage of the massive number of IoT devices and traffic they’re generating, according to Andrew Morris, founder and chief architect at GreyNoise.