Foscam IP Cameras Vulnerable to Hacking

Security researchers have published over a dozen different types of vulnerabilities they detected in IP cameras made by the Chinese company Foscam. After no response from the manufacturer after several months, the renowned Finnish security company F-Secure is making businesses and consumers aware of the risks.

Foscam is a well-known provider of a wide range of low-cost Internet Protocol (IP) cameras for use in homes and businesses. These products can easily be purchased online and in retail stores. It is also believed that Foscam supplies their cameras to other companies which box and brand these devices under their own name.

List of Vulnerabilities

Eighteen vulnerabilities were discovered and mapped against the Common Weakness Enumeration (CWE) framework. The most severe design vulnerabilities included:

Insecure default credentials (cwe-255)
Hard-coded credentials (cwe-798)
Hidden functionality (cwe-912)
Command injection (cwe-77)
Incorrect permission assignment for critical resource (cwe-732)
Missing authorization (cwe-862)
Improper access control (cwe-284)
Improper restriction of excessive authorization attempts (cwe-307)
Uncontrolled resource consumption (cwe-400)
Cross-site scripting (cwe-79)
Stack-based buffer overflow (cwe-121)

I found the most egregious to be the hard-coded passwords which users cannot change and allows attackers to gain access to several functions and services of these devices. Additionally, the hidden Telnet functionality can expose even more ways to wreak havoc. These are remotely accessible and open the door to exploitation of the camera and other systems on the network.

Many of these vulnerabilities should have easily been caught and weeded out in product development. This tells me that the company most likely does not have a security staff or expertise embedded in the product-development lifecycle. No security patches have been released. Their lack of response to the security researcher and omission of fixes, is an indicator they do not have a product-security incident response team to understand, verify, and remediate problems.

This leaves customers exposed and on their own.

Products o’ Plenty

F-Secure verified that two Foscam models (Opticam i5 and Foscam C2) were insecure, but suspect these vulnerabilities exist across many of their products and those sold under at least 14 other brand names: Chacon , Thomson , 7links , Opticam , Netis , Turbox , Novodio , Ambientcam , Nexxt , Technaxx , Qcam , Ivue , Ebode , and Sab.

F-Secure indicated they were able to create exploit code as part of the process to validate the weaknesses and chose not to release the details to the public as it would only help interested attackers. This decision aligns to the ethics of responsible reporting for cyber vulnerabilities.

Buyer Beware

These products are insecure, in a big way. Unless you are prepared to put mitigations in place to compensate for these vulnerabilities, you should be very wary about using easily exploitable products or patronizing companies which do not take security seriously. In the end it is your privacy, security and safety that hangs in the balance.

Attackers could not only take over your cameras, but also use such access as an entry point to your network. They can conduct attacks to other systems inside your home or business, and against targets on the Internet as part of a coordinated campaign with other compromised devices.

Such attacks are gaining popularity, leveraging easily compromisable Internet-of-Things (IoT) devices. Recent massive Distributed Denial of Service (DDoS) attacks, like those coordinated by the Mirai malware, are powered by an army of hacked devices connected to the Internet. IP Cameras, home routers, DVD players and other devices, work in unison under the command of the criminal to disrupt network availability of major targets. Last year, this botnet brought down Dyn’s DNS services that contributed to the unavailability of major internet sites such as Twitter, Etsy, Spotify, AirBnB, Github, and the New York Times. These botnets are also used for specific attacks against targeted companies where ransoms are demanded by cybercriminals. Hackable IoT devices are a tremendous resource for cybercriminals.

Decisions to use vulnerable products connected to the Internet can affect everyone. We are all in this together, so choose wisely.

The F-Secure Blog Is This Cam Inviting Hackers into Your Home? outlines more details and the full F-Secure report can be found here: https://business.f-secure.com/foscam_cameras_and_compromise

Interested in more? Follow me on LinkedIn, Twitter (@Matt_Rosenquist), Information Security Strategy, and Golos to hear insights and what is going on in cybersecurity.