CVE-2018-20955 – Swann SWWHD-INTCAM-HD security cameras had a ha... (How to Fix)

Q: What is the severity of CVE-2018-20955?

CVE-2018-20955 has a CVSS score of 9.8 (CRITICAL). Swann SWWHD-INTCAM-HD security cameras had a hardcoded root password 'twipc' that allowed attackers to gain FTP access with root privileges. This affected all customers using these devices before the vendor's migration program. The vulnerability was completely mitigated by August 31, 2020 when all affected customers were migrated to new systems.

📋 TL;DR

Swann SWWHD-INTCAM-HD security cameras had a hardcoded root password 'twipc' that allowed attackers to gain FTP access with root privileges. This affected all customers using these devices before the vendor's migration program. The vulnerability was completely mitigated by August 31, 2020 when all affected customers were migrated to new systems.

💻 Affected Systems

Products:

Swann SWWHD-INTCAM-HD security cameras

Versions: All versions before migration to Safe by Swann platform

Operating Systems: Embedded Linux

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices were part of a hardware migration program completed by August 31, 2020. Any remaining devices are legacy systems that should be considered compromised.

📦 What is this software?

Swwhd Intcam Hd Firmware by Swann

View all CVEs affecting Swwhd Intcam Hd Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the security camera system, allowing attackers to view live feeds, manipulate recordings, install malware, pivot to internal networks, and permanently disable security monitoring.

🟠

Likely Case

Unauthorized access to camera feeds and recordings, potential privacy violations, and use of compromised devices as footholds for further network attacks.

🟢

If Mitigated

No impact as all affected systems were migrated to new hardware by the vendor's deadline.

🌐 Internet-Facing: HIGH - These were internet-connected security cameras with default credentials, making them easily discoverable and exploitable from anywhere.

🏢 Internal Only: MEDIUM - Even on internal networks, the hardcoded credentials could be exploited by any internal attacker or malware.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation is trivial - attackers simply need to connect via FTP using root:twipc credentials. Public blog posts detail the exploitation process.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: https://www.swann.com/au/safe-by-swann-upgrade

Restart Required: No

Instructions:

1. Contact Swann support to verify migration status. 2. If still using affected hardware, immediately replace with Safe by Swann system. 3. Disconnect affected devices from network until replacement.

🔧 Temporary Workarounds

Network Isolation

linux

Completely isolate affected cameras from all networks including internet

iptables -A INPUT -s [CAMERA_IP] -j DROP
iptables -A OUTPUT -d [CAMERA_IP] -j DROP

FTP Service Disable

linux

Disable FTP service on affected devices if possible

killall ftpd
chmod -x /usr/sbin/ftpd

🧯 If You Can't Patch

Immediately disconnect device from all networks
Physically remove and destroy affected hardware

🔍 How to Verify

Check if Vulnerable:

Attempt FTP connection to camera IP on port 21 using credentials root:twipc. If connection succeeds, device is vulnerable.

Check Version:

N/A - This is a hardware migration, not a software patch

Verify Fix Applied:

Check with Swann support to confirm device was migrated to Safe by Swann platform. Attempt FTP connection should fail.

📡 Detection & Monitoring

Log Indicators:

Failed FTP authentication attempts
Successful FTP logins as root
Unusual file transfers from camera

Network Indicators:

FTP connections to camera devices
Unusual outbound traffic from cameras
Port scanning from camera IPs

SIEM Query:

source="ftp.log" (user="root" OR password="twipc") OR dest_ip="[CAMERA_IP]" proto="ftp"

📊 Metadata

CVE ID: CVE-2018-20955

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-798

Published: August 8, 2019

Last Updated: November 21, 2024

🔗 References

https://www.pentestpartners.com/security-blog/hacking-swann-home-security-camera-video/ Exploit,Third Party Advisory
https://www.swann.com/au/safe-by-swann-upgrade
https://www.pentestpartners.com/security-blog/hacking-swann-home-security-camera-video/ Exploit,Third Party Advisory
https://www.swann.com/au/safe-by-swann-upgrade

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20955, you might also want to check these: