Multiple Flaws in Foscam IP Cameras Open Devices, Networks to AttackersInsecure IP cameras are yet another example of IoT devices that are not built to withstand the threat landscape of the internet.
Insecure IP cameras are yet another example of IoT devices that are not built to withstand the threat landscape of the internet.
Helsinki, Finland – June 7, 2017: F-Secure has discovered multiple vulnerabilities in two Foscam-made IP cameras that open the devices up to easy compromise by online attackers when exposed to the internet. The vulnerabilities, detailed in a new report, allow an attacker to remotely control a device and its video feed and download files from its built-in server. If an exploited device has access to a local area network, the attacker could access the network and its resources. An attacker could also use a device to perform other malicious activity, such as DDoS attacks against other parties.
“These vulnerabilities are as bad as it gets,” said Harry Sintonen, senior security consultant at F-Secure, who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”
The discovery is the latest in a long list of internet-enabled “things,” or smart devices, that are not adequately secured to withstand modern attacks that take place constantly across the internet. Smart cars, CCTV cameras, DVRs, water kettles, and routers are just some of the devices that have been found to be woefully insecure. The problem has been magnified by botnets such as Mirai, which co-opted internet-exposed insecure cameras and DVRs to orchestrate last October’s giant internet outage – the largest DDoS attack against the internet infrastructure in history.
The vulnerabilities, which number 18 in total, offer an attacker multiple ways to compromise the device. Insecure, hard-coded and empty credentials give attackers easy administrator level access allowing full control over the device. The software neglects to restrict access to critical files and directories, allowing an attacker to modify them with their own commands. An attacker can also perform remote command injection, cross-site scripting, buffer overflows, and brute force password attacks, among other malicious actions, to ultimately fully compromise the device and access the network.
“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure – however, it makes the virtual environment less so.”
Chinese manufacturer Foscam makes a number of IP cameras. Some are white-labeled and sold under various other brand names, one of which is Opticam. The two models Sintonen investigated are the Opticam i5 HD device and the Foscam C2. Sintonen says it’s likely many of these vulnerabilities also exist in other products Foscam manufactures.
Sintonen recommends keeping these devices in a separate network, not exposed to the internet. “Changing the default password is also a best practice that should always be followed,” he said. “Unfortunately, with these devices, hard-coded credentials can allow an attacker bypass the password even if it’s changed.”
Foscam has been notified about the vulnerabilities several months ago but to date, a fix has not been issued.
More information, including vulnerability details and mitigation recommendations, can be found in the full report.
Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
F-Secure media relations
+358 45 209 3595
Latest Press Releases
F-Secure is partnering with the Global Cyber Alliance to step up the fight against malicious URLs with a secure DNS service that companies and individuals can use for free.
Email exposure study also shows 81% of the world’s top CEOs have had their personal information exposed in spam lists or leaked marketing databases.
F-Secure and the University of Helsinki re-launch their cyber security MOOC following the success of last year’s offering.
F-Secure’s new Protection Service for Business features upgraded behavior-based blocking for Windows and Macs to give companies the protection they need from modern threats.