Production line monitoring cameras made by Japanese company Inaba Denki Sangyo are affected by several potentially serious vulnerabilities that could be exploited for surveillance and sabotage, but they remain unpatched.
Inaba Denki Sangyo manufactures air conditioning, electrical installation, and control system products.
Researchers at industrial and IoT security firm Nozomi Networks have analyzed the companyβs Choco Tei Watcher Mini (IB-MCT001) camera, which is used to monitor plants for production disruptions and analyze incidents.
the camera is affected by four types of vulnerabilities, including critical issues related to weak password requirements and forced browsing, a high-severity issue related to the use of client-side authentication, and a medium-severity flaw related to the storage of passwords.
A remote, unauthenticated attacker can exploit the vulnerabilities to take full control of a device. An attacker could, for instance, covertly monitor live camera feeds (both video and audio).
βThis could facilitate industrial espionage, allowing competitors or malicious actors to spy on proprietary manufacturing processes and gain insights into workflow optimizations, specialized machinery usage, or product assembly techniques. Additionally, it raises privacy concerns, as employees could be unknowingly monitored,β Nozomi explained, adding that βattackers could analyze security weaknesses, such as unattended machinery or shift changes, to plan further actions.β
The security firm also warned that the forced browsing vulnerability can be exploited to manipulate or delete footage.
βThis could result in the loss of critical diagnostic footage, making it difficult to analyze and resolve operational inefficiencies, leading to prolonged downtime and increased costs. In industries that require stoppage recordings for quality control or regulatory compliance, missing or altered footage could result in production recalls,β Nozomi said.
βAdditionally, a malicious insider could erase or modify footage to conceal intentional disruptions, equipment failures, or workplace incidents, without being detected.βto conceal intentional disruptions, workplace incidents, or equipment failures,β it added.
The security firm reported its findings to Inaba, but patches have not been released. Instead, the vendor has urged customers to implement mitigations, such as restricting access to the cameras and protecting them with firewalls and other security systems.