CVE-2020-27554

Vulnerability

The BASETech GE-131 BT-1837836 IP camera with firmware 20180921 transmits sensitive data (e.g., credentials, video stream) in cleartext between the mobile app "V12" and the camera. The communication is not encrypted, exposing data to anyone on the network [1].

Exploitation

An attacker with network access (e.g., on the same Wi-Fi or on the path between app and camera) can passively capture traffic using tools like tcpdump or Wireshark. No authentication or user interaction is required beyond being able to observe the network traffic. The camera also allows external access even when behind a firewall, expanding the attack surface [1].

Impact

Successful exploitation leads to disclosure of sensitive information such as device password (default "123456") and potentially video stream content. The attacker gains the ability to view live footage and obtain credentials that could be used for further access. The CIA impact is primarily confidentiality [1].

Mitigation

No firmware update has been released; the device appears abandoned by the vendor. Users should isolate the camera on a separate VLAN, disable remote access, and use network encryption (e.g., VPN) if possible. The default password should be changed to a strong one, though traffic remains in cleartext [1].