CVE-2024-31799 is an information disclosure vulnerability affecting the GNCC GC2 Indoor Security Camera 1080P. The flaw arises because the device exposes the WiFi passphrase via its UART debugging port, which is accessible physically on the hardware. An attacker with physical access can connect to this UART interface and extract the WiFi credentials without requiring authentication or user interaction. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized parties. The CVSS 3.1 base score is 4.6, reflecting medium severity due to the requirement for physical access (Attack Vector: Physical) but low complexity (AC:L) and no privileges or user interaction needed. The impact is primarily on confidentiality, as the attacker can obtain WiFi credentials, potentially enabling further network intrusion or lateral movement. There is no indication of integrity or availability impact. No patches or mitigations have been officially released, and no exploits are known in the wild as of the publication date. This vulnerability highlights the risk of exposed debug interfaces on IoT devices, which can leak sensitive configuration data if not properly secured or disabled in production units.

The primary impact of this vulnerability is the compromise of WiFi credentials, which can lead to unauthorized network access. Once an attacker obtains the WiFi passphrase, they may infiltrate the local network, potentially accessing other connected devices, intercepting network traffic, or launching further attacks such as man-in-the-middle or lateral movement within the network. For organizations, this can result in data breaches, loss of privacy, and disruption of operations if critical systems are accessed. The requirement for physical access limits the scope of exploitation to environments where attackers can physically reach the device, such as offices, homes, or public spaces where the camera is installed. However, in high-security environments or sensitive locations, this vulnerability poses a significant risk. The lack of authentication on the UART port and absence of encryption for stored credentials exacerbate the threat. Since no patches are currently available, affected organizations must rely on physical security controls and monitoring to mitigate risk.

To mitigate this vulnerability, organizations should implement strict physical security controls to prevent unauthorized access to the camera hardware, including secure mounting and restricted access to areas where cameras are installed. If possible, disable or restrict access to the UART debugging port on the device to prevent credential extraction. Network segmentation should be employed to isolate IoT devices from critical network resources, limiting the impact if WiFi credentials are compromised. Change WiFi passwords regularly and use strong, unique passphrases to reduce the window of opportunity for attackers. Monitor network traffic for unusual activity that could indicate unauthorized access. If feasible, replace affected devices with models that do not expose sensitive information via debug interfaces or that have updated firmware addressing this issue once available. Additionally, vendors should be contacted to request patches or firmware updates that disable or secure the UART port and protect stored credentials.