Owners of connected security cameras from Chinese manufacturer Foscam should apply a new firmware update that addresses 20 security flaws found by Cisco.
Foscam, a maker of remote access security camera and baby monitors, has released a firmware update for its C1 camera and several other models to address privacy and security threats for users.
The internet-connected cameras allow users to access the device via Foscam’s mobile apps and what Cisco researchers found to be a bug-riddled web management interface.
Some of the more serious flaws could be used by attackers to “completely compromise the device”, according to researchers at Cisco’s Talos security unit. Others would allow an attacker to access information stored on the camera or to execute arbitrary commands in its operating system.
Cisco notes that undocumented, hardcoded FTP credentials on the C1 model could be used to remotely login and gain full and write access to the device’s MicroSD card, potentially exposing stored content, such as audio and video recordings as well as images.
The researchers found a file ‘/mtd/app/bin/ftpd/pureftpd.passwd' contained a hash labelled “r:$1$whR6Mhk0$FR1VT/mX5D/qwRsgCkHLO.:1001:1001::/mnt/sd/./::::::::::::”. The hash resolved to a user/password combination of “r:r”.
C1 cameras not protected by a firewall that blocks access to port 50021 would be wide open for any remote attacker who discovered these simple credentials and used them to access content stored on the C1’s mounted MicroSD card.
“This hash resolves to a simple user/pass combo of 'r:r'. The user/pass of r:r permits anyone to log into a Foscam camera and have full read/write to the mounted Micro-SD card, which contains .avi videos and .jpg snapshots. If the camera has a microphone, the .avi videos will have audio recording as well. An attacker armed with this knowledge can connect remotely to the target camera and dump potentially sensitive data,” Cisco notes in its advisory.
Most of the remaining 20 flaws were in the camera’s web management interface, which had multiple command injection vulnerabilities that could be exploited to execute attack code within the C1’s operating system.
Cisco reported the bugs to Foscam in late March and has been working with the vendor to produce the patches released on Friday. Cisco disclosed details of 20 bugs as well as proof-of-concept exploits for each of them on Monday.
According to Foscam, affected models besides the C1 include C1 V2, C1-Lite, C1-Lite V2, FI9800E, FI9800P, FI9800P V2, FI9800W, FI9800XE, FI9803P V2, FI9803P V3, FI9815P, FI9815P V2, FI9816P, FI9816P V2, and FI9851P V2. The updated firmware is available on its support page.
Cisco’s disclosure follows an advisory by Finnish security firm F-Secure this month detailing 18 similar bugs in Foscam’s C2 model. F-Secure said it published the warning because Foscam hadn’t released a patch yet.
Though fixes have been released, it’s likely many of the devices won’t be patched and will join the sea of IoT devices compromised for distributed denial of service (DDoS) botnets like Mirai.
Security firm Kaspersky Lab released results of a study that used a honeypot designed to attract Linux-based IoT malware. The firm looked at attempts to login to its honeypot devices over the Telnet and SSH protocols using a list of login/password combinations. The study ran between January and April.
It found that over 63 percent of the devices the attacks came from were digital video recorder services or IP cameras, coming from over 7.4 million IP addresses. That the devices attempted to login to its honeypot suggested these, or at least one other device on the same network, were infected. Around 20 percent were home routers.
"The existing competition in the DDoS market drives cybercriminals to look for new resources to launch increasingly powerful attacks. The Mirai botnet has shown that smart devices can be harnessed for this purpose – already today, there are billions of these devices globally, and by 2020 their number will grow to 20-50 billion devices," Kaspersky Lab noted.