Foscam IP cameras riddled with gaping security holes
F-Secure researchers have discovered a bucketload of serious security vulnerabilities affecting IP cameras made by Chinese manufacturer Foscam. Even though notified months ago, Foscam has still not fixed the issues.
The researchers have found the holes in the Opticam i5 HD device and the Foscam C2, but say it’s very likely that they affect other camera models manufactured by the company, as well as other products Foscam manufactures and sells under other brand names: Chacon, Thomson, 7links, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode, Sab, and Opticam.
“Some of the vulnerabilities are very severe and easily exploited by an attacker. Others require more effort to exploit, but had the more glaring flaws not existed, would be targets in themselves,” they noted.
The security issues include insecure default credentials, hard-coded credentials, hidden Telnet functionality, a flawed firewall, command injection bugs, missing restriction of multiple login attempts, and so on. Exploitation of these flaws could allow total device compromise.
What can users do?
Unfortunately, there’s not much individual users can do about it if the company does not push out a patch. Change the default password on their device will not help much as the attackers can simply use the hard-coded credentials to gain access to it.
They can try to “hide” the device from attackers by installing the cameras within a dedicated network or VLAN, so that it is not discoverable via the Internet.
“What shouldn’t be forgotten is that this device is not just a camera, it’s also a server. A vulnerable server that gives an attacker a foothold into the rest of the network,” noted F-Secure’s Janne Kauhanen.
Corporate users should, therefore, be even more careful when contemplating the use of such devices.
“Understand the systems. Do risk and threat modelling, investigate the security track record of the vendor and verify the device can be patched if necessary,” the researchers advised. “Before any widespread deployments, do security testing beforehand. And segment the network heavily based on trust levels.”
The company has also provided a number of recommendations for Foscam that would help them fix the flaws, but it remains to be seen if they’ll take them to heart.