On Friday March 3rd, an independent security researcher discovered a vulnerability that affected many products manufactured by an OEM vendor. This vulnerability potentially allows unauthorized access to certain IP cameras, and network digital video recorders.
This issue potentially makes access ports available to the public internet using methods such as DDNS, or port forwarding enabling remote access. Certain FLIR and Lorex branded products that are produced by the OEM vendor may be affected by this vulnerability. We are devoting our full attention to resolving this issue and protecting our customers.
There is some good news to share. Many of these products are already protected from this vulnerability due to the external connection being managed by FLIR’s Cloud connection service. With the device connected to the internet via the FLIR Cloud service, we have confirmed that these devices are no longer vulnerable to this issue. However, within a local network, the affected devices are still susceptible to this vulnerability from sources the same local network, but this threat is much more limited.
Until this issue is resolved, our recommendation is to immediately disable DDNS, disable all port forwarding and, if available, turn off UPnP. We are continuing to work with our OEM partner to discover exactly which products are affected, and when patches will be available. As soon as we have more information, we will be clearly communicating everything to our distribution channel partners and through our corporate website. We will provide instructions on how to determine if a particular product is affected, as well as how to apply any required firmware updates.
To better service our customers, FLIR is setting up a dedicated hot line for our customers to get any help they may need – 1.877.757.6981.
Please note that the following product lines are NOT affected by this vulnerability:
Further updates will be posted to www.FLIR.com/securityinfo, there is also a form where you can provide your contact information to receive notification when updates on this issue are available.