A third method is to perform a brute-force attack in order to guess the password, because the camera has no protection against this and the passwords are limited to 12 characters, the researchers said.
Once an attacker gains access to a camera he can determine its firmware version, download a copy from the Internet, unpack it, add rogue code to it and write it back to the device.
The firmware is based on uClinux, a Linux-based operating system for embedded devices, so technically these cameras are Linux machines connected to the Internet. This means they can run arbitrary software like a botnet client, a proxy or a scanner, the researchers said.
Since the cameras are also connected to the local network, they can be used to identify and remotely attack local devices that wouldn't otherwise be accessible from the Internet, they said.
There are some limitations to what can be run on these devices since they only have 16MB of RAM and a slow CPU and most of the resources are already used by its default processes. However, the researchers described several practical attacks. One of them involves creating a hidden backdoor administrator account that's not listed on the Web interface.
A second attack involves modifying the firmware to run a proxy server on port 80 instead of the Web interface. This proxy would be set up to behave differently depending on who's connecting to it.
For example, if the administrator accesses the camera over port 80 the proxy would display the regular Web interface because the administrator wouldn't have his browser configured to use the camera's IP address as a proxy. However, an attacker who configures their browser in this manner would have their connection tunneled through the proxy.
The researchers released an open-source tool called "getmecamtool" that can be used to automate most of these attacks, including injecting executable files into the firmware or patching the Web interface.
The only thing that the tool doesn't automate is the authentication bypass attacks, the researchers said. The tool requires valid log-in credentials to be used for the targeted camera, a measure the researchers took to limit its abuse.
The cameras are also susceptible to denial-of-service attacks because they can only handle around 80 concurrent HTTP connections. Such an attack could be used, for example, in order to disable the camera while performing a robbery, the researchers said.