RSI Video Technologies' Videofied security system uses a software named Frontel to monitor alarm status. Frontel uses an insecure custom protocol to communicate with its Frontel server.
Frontel uses a custom protocol running on TCP port 888. The protocol performs an authentication handshake using AES-128 and a pre-shared key, and then sends data.
CWE-321: Use of Hard-coded Cryptographic Key - CVE-2015-8252
A remote unauthenticated attacker may be able to spoof messages to manipulate and snoop on data, including video.
Apply an update
Thanks to Andrew Tierney for reporting this vulnerability.
This document was written by Garret Wassermann.