Multiple Flaws in Foscam IP Cameras Open Devices, Networks to Attackers

Insecure IP cameras are yet another example of IoT devices that are not built to withstand the threat landscape of the internet.

Helsinki, Finland – June 7, 2017: F-Secure has discovered multiple vulnerabilities in two Foscam-made IP cameras that open the devices up to easy compromise by online attackers when exposed to the internet. The vulnerabilities, detailed in a new report, allow an attacker to remotely control a device and its video feed and download files from its built-in server. If an exploited device has access to a local area network, the attacker could access the network and its resources. An attacker could also use a device to perform other malicious activity, such as DDoS attacks against other parties.

“These vulnerabilities are as bad as it gets,” said Harry Sintonen, senior security consultant at F-Secure, who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”

The discovery is the latest in a long list of internet-enabled “things,” or smart devices, that are not adequately secured to withstand modern attacks that take place constantly across the internet. Smart cars, CCTV cameras, DVRs, water kettles, and routers are just some of the devices that have been found to be woefully insecure. The problem has been magnified by botnets such as Mirai, which co-opted internet-exposed insecure cameras and DVRs to orchestrate last October’s giant internet outage – the largest DDoS attack against the internet infrastructure in history.

The vulnerabilities, which number 18 in total, offer an attacker multiple ways to compromise the device. Insecure, hard-coded and empty credentials give attackers easy administrator level access allowing full control over the device. The software neglects to restrict access to critical files and directories, allowing an attacker to modify them with their own commands. An attacker can also perform remote command injection, cross-site scripting, buffer overflows, and brute force password attacks, among other malicious actions, to ultimately fully compromise the device and access the network.

“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure – however, it makes the virtual environment less so.”

Chinese manufacturer Foscam makes a number of IP cameras. Some are white-labeled and sold under various other brand names, one of which is Opticam. The two models Sintonen investigated are the Opticam i5 HD device and the Foscam C2. Sintonen says it’s likely many of these vulnerabilities also exist in other products Foscam manufactures.

Sintonen recommends keeping these devices in a separate network, not exposed to the internet. “Changing the default password is also a best practice that should always be followed,” he said. “Unfortunately, with these devices, hard-coded credentials can allow an attacker bypass the password even if it’s changed.”

Foscam has been notified about the vulnerabilities several months ago but to date, a fix has not been issued.

More information, including vulnerability details and mitigation recommendations, can be found in the full report.

More Information Of Cameras & Compromise: How IoT Can Dull Your Competitive Edge Foscam IP Cameras Show Why It’s So Hard to Secure the IoT Video: Connected, and Compromised

About F-Secure

Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response, utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our commitment to beating the world’s most potent threats. Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need.

Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.

f-secure.com | twitter.com/fsecure | linkedin.com/f-secure

F-Secure media relations

Adam Pilkey

PR Content Manager

+358 40 637 8859
adam.pilkey@f-secure.com

Press list

Sign up for media information from F-Secure.

We process the personal data you share with us in accordance with our Corporate Business Privacy Policy.

Press archive

By year

Browse through our news by year.

By category

Browse through our news by category.