A new security analysis of LookCam-branded cameras reveals an ecosystem riddled with critical flaws, ranging from fake authentication and broken encryption to cloud features that allow remote access with nothing more than a device ID.
With over a million downloads of the LookCam app on Android, the scale of exposure is potentially significant.
The investigation by security researcher Wladimir Palant focused on a typical LookCam-compatible WiFi camera and found vulnerabilities across the hardware, firmware, communication protocol, and cloud backend. The devices in question are marketed as “spy cams” or nanny cams and often disguised as household items like clock radios, USB chargers, or wall sockets. Despite appearances, these products are fundamentally insecure and cannot be updated.
palant.info
Cameras affected by this research include those using the LookCam app and its variants, such as tcam, CloudWayCam, VDP, and AIBoxcam. While visually similar, the LookCamPro app is technically different and not believed to share the same flaws.
All these devices rely on the PPPP protocol, developed by Chinese company CS2 Network, which uses device IDs to establish remote communication via relay servers. This mechanism avoids firewall configuration but exposes devices directly to the internet.
The specific device analyzed runs on the Anyka AK39Ev330 platform and showed no signs of secure development practices or any firmware update capability. There is no clear vendor, no contact information, and no available firmware updates.
Critical security flaws
- Authentication is Nonfunctional
While the app allows users to set an access password, the firmware does not enforce it. Authentication commands are optional and easily bypassed. Any client can issue commands directly to the device, even with an incorrect password.
- Remote Code Execution (RCE)
The firmware is full of basic memory safety issues like buffer overflows and command injection. Protections such as DEP and ASLR are disabled. A single malformed request can lead to full control of the device.
- Broken or Missing Encryption
The PPPP protocol includes two proprietary encryption methods, both insecure. Keys are hardcoded, extremely short, and vulnerable to known-plaintext attacks. The networks used by LookCam basically operate without any encryption. Data, including passwords and video commands, is transmitted in plaintext over the network.
- Cloud Access Without Authentication
Devices upload video files in 5 MB chunks to cloud servers at api.l040z.com (or apicn.l040z.com) using unencrypted HTTP. No credentials are required, just the device ID. Anyone with this ID can activate cloud uploads remotely and access video recordings.
Cloud features are controlled by the server, not the user. If the server tells the device to start uploading, it will, even if the user never enabled cloud storage. Anyone can buy cloud access for a device and begin extracting footage without ever touching the device itself.
- Device ID Leakage and Enumeration
The only access control is a five-letter verification code appended to each device ID. These codes use a reduced alphabet and offer about 5 million possible combinations. With no server-side rate limiting, brute-force attacks are feasible.
Device IDs are displayed prominently in the app and often leaked via screenshots or shared videos. The ID is also broadcast over WiFi when the device runs in access point mode, making them easy to discover.
palant.info
Apart from the above, Palant also found that the device exposes a WiFi scanning function that reveals visible access points. Although the app omits MAC addresses, they are written to a temporary file on the device. This file can be downloaded remotely, enabling geolocation via public WiFi databases.
The camera cannot function without internet access. Blocking its outbound connections results in a boot loop, forcing users to expose it to the wider internet.
No fixes available
These cameras lack any secure update mechanism. The only update functionality present appears to be vendor-internal and inaccessible to end-users. Existing vulnerabilities are permanent and unpatchable. The system is designed with no consideration for long-term security or accountability.
The backend infrastructure uses server clusters referenced as “mykj” and “hekai” in the app, linked to unknown or untraceable entities. Attempts to identify or contact any responsible party have failed, suggesting deliberate vendor obfuscation.
LookCam device owners should stop using them, or at least avoid sharing screenshots of the app, as these leak the device ID and invite exploitation.
Thank you for this article, it’s a good summary of my research. Only two minor corrections:
1. On the topic of encryption you write “Most LookCam devices disable encryption entirely.” Encryption is a network-wide setting, it isn’t per-device. The networks used by LookCam just don’t have encryption enabled, full stop. Only exception are a few individual messages where encryption isn’t optional, but the bulk of the data is transmitted as plaintext.
2. “The only firmware present appears to be vendor-internal and inaccessible to end-users.” – I think “firmware” here should be “update functionality”?
Thank you for your comment. We have made edits to provide some clarification.