# Weak Firmware Integrity Check Vulnerability During Firmware Update in TRENDnet TV-IP651WI Network Camera ## Affected Products: We have tested on **TRENDnet TV-IP651WI Network Camera (firmware version: v1.07.01 and earlier)**. Also, we suspect it may also work on other models with similar firmware versions. ## Overview: The use of the cyclic redundancy check (CRC) algorithm for integrity check during firmware update makes TRENDnet TV-IP651WI Network Camera vulnerable to firmware modification attacks. An attacker can conduct a man-in-the-middle (MITM) attack to modify the new firmware image and bypass the checksum verification. A successful attack can either introduce a backdoor or malware to the device or make the device DoS. ## Details: When performing a firmware update, users can download a new firmware image from the vendor server and upload it via the web interface of the device. The web interface uses HTTP protocol, which does not provide any cryptographic protection of the uploaded contents. Therefore, the firmware update process is vulnerable to man-in-the-middle (MITM) attacks. Also, the data integrity of new firmware is verified on the device based on the CRC32 algorithm. Specifically, after unpacking the firmware image, there is a binary *alphapd*, in which some firmware update functionalities are implemented. The binary check the firmware integrity with the CRC32 algorithm (see Fig. 1), which can be easily bypassed. An attacker with a privileged network position (which could be obtained via ARP spoofing, DNS spoofing, or other approaches) can exploit this issue in order to provide arbitrary malicious firmware updates. Specifically, the attacker can craft a malicious firmware image with the same CRC32 value as the original firmware image. Then, he/she can replace the benign firmware image during the firmware update process via a MITM attack so that the malicious firmware image can be flashed into the device.  *Fig. 1. The decompiled firmware integrity check code during the firmware update.*