Two models of Foscam-made IP cameras have multiple bugs that allow anyone one the internet to view video feeds, control the camera and gain access to the network the devices operate on.
Security firm F-Secure has detailed 18 vulnerabilities in the two cameras from Shenzhen-based security camera maker, Foscam. Most of the bugs are “very severe and easily exploited by an attacker”, says the Finnish security company.
The flaws range from hard-coded and default credentials to hidden Telnet connections, and a firewall that leaks enough details that an attacker can brute force credentials. An attacker can use a combination of the bugs to gain persistent remote access, and create a new root user.
Besides threats to the user, F-Secure reminds that it was exactly these types of bugs that allowed the Mirai malware to bulk up on hundreds of thousands of IoT devices to launch last year’s assault on Dyn, which blocked millions of people from accessing Amazon, Twitter, Spotify and dozens of other popular sites.
The affected models are the Opticam i5 HD and Foscam C2, though the devices may also be sold under several different brands that rebadge Foscam hardware. F-Secure estimates there are tens of thousands of these vulnerable devices exposed on the internet.
Foscam is a popular brand, best known for making affordable internet-connected cameras for 'DIY' security systems in homes and businesses, as well as baby camera/monitors. It's also been held up as an example of all that’s wrong with the Internet of Things on several occasions.
Last year it was called out for a ‘feature’ in some security camera models that made it extremely difficult for the user to stop the devices from connecting to a peer-to-peer (P2P) network operated by Foscam. The firm boasts in product documents that the P2P functionality makes it easier for users to link a phone to the camera for remote monitoring.
However, it was the security of Foscam’s internet-connected baby monitors that caught the public’s attention in 2013 after someone hacked one of its devices to talk smut to a sleeping baby.
As with other examples of poorly secured IoT devices, F-Secure puts Foscam's latest acts of negligence down to prioritizing rapid shipping over security.
Foscam is aware of the importance of changing the default username and password on its devices. In a 2015 press release it urged customers to do this and ensure the latest firmware is installed.
However, even if users created a new password, an attacker could bypass Foscan's hard-coded credentials in the two current models in question.
Also, Foscan's latest firmware doesn't account for F-Secure's 18-bug find. F-Secure says it published details of the bugs today because Foscam had not released new firmware updates despite being notified several months ago.
“Because there appear to be no fixes available, we have refrained from publishing exploit code for practical proof-of-concept attacks,” F-Secure said.
CSO Australia has contacted Foscan to find out whether patches are being developed. The story will be updated if we receive a response.