Thanks for signing up, a member of the Global PR team will be in touch with you shortly.
“These vulnerabilities are as bad as it gets,” said Harry Sintonen, senior security consultant at F-Secure, who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”
The discovery is the latest in a long list of internet-enabled “things,” or smart devices, that are not adequately secured to withstand modern attacks that take place constantly across the internet. Smart cars, CCTV cameras, DVRs, water kettles and routers are just some of the devices that have been found to be woefully insecure. The problem has been magnified by botnets such as Mirai, which co-opted internet-exposed insecure cameras and DVRs to orchestrate last October’s giant internet outage – the largest DDoS attack against the internet infrastructure in history.
The vulnerabilities, which number 18 in total, offer an attacker multiple ways to compromise the device. Insecure, hard-coded and empty credentials give attackers easy administrator level access allowing full control over the device. The software neglects to restrict access to critical files and directories, allowing an attacker to modify them with their own commands. An attacker can also perform remote command injection, cross-site scripting, buffer overflows and brute force password attacks, among other malicious actions, to ultimately fully compromise the device and access the network.
“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure – however, it makes the virtual environment less so.”
Chinese manufacturer Foscam makes a number of IP cameras. Some are white-labeled and sold under various other brand names, one of which is OptiCam. The two models Sintonen investigated are the OptiCam i5 HD device and the Foscam C2. Sintonen says it’s likely many of these vulnerabilities also exist in other products Foscam manufactures.
Sintonen recommends keeping these devices in a separate network, not exposed to the internet. “Changing the default password is also a best practice that should always be followed,” he said. “Unfortunately, with these devices, hard-coded credentials can allow an attacker bypass the password even if it’s changed.”
Foscam has been notified about the vulnerabilities several months ago but to date, a fix has not been issued.
More information, including mitigation recommendations, can be found in the full report and blog post here.
Nobody has better visibility into real-life cyber attacks than F-Secure. We’re closing the gap between detection and response, utilizing the unmatched threat intelligence of hundreds of our industry’s best technical consultants, millions of devices running our award-winning software, and ceaseless innovations in artificial intelligence. Top banks, airlines, and enterprises trust our commitment to beating the world’s most potent threats. Together with our network of the top channel partners and over 200 service providers, we’re on a mission to make sure everyone has the enterprise-grade cyber security we all need.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.
Sign up for media information from F-Secure.
Browse through our news by year.
Browse through our news by category.