Have Foscam IP Cameras? You might want to patch those

Internet connected devices are gaining more attention from security researchers given their increasing numbers, and tendency to do security badly. IP Cameras have been particularly bad citizens, with exposed Telnet ports and poor privacy controls have gained some high profile attention in the past. Scandinavian Security company F-Secure has now turned it's attention to popular home security models made by Foscam. Unfortunately, this isn't Foscam's first time in the limelight either.

The news is not good. F-Secure identified 18 security vulnerabilities, with some serious exposure in the mix.

  • Insecure default credentials, including a blank password for the built-in FTP server and access to the RTSP video strea
  • Hard-coded credentials, including hidden accounts, that cannot be changed by the user. 
  • Undocumented Telnet functionality
  • Various code injection exposures, including one which allows anonymous remote takeover and access to the network
  • Publicly writable startup script, allowing resident access to be established via FTP exposure
  • Publicly writable software directory, allowing modification of the software executed on start
  • Unauthenticated extraction of admin username and password
  • Unauthoenticated reboot of the device
  • Firewall implementation that doesn't block all access, and allows validation of credentials
  • No restriction on login attempts allowing brute force in conjunction with the above
  • Header processing issue allowing blocking of the video feed until reboot
  • Cross-site scripting exposure
  • Buffer overflow allowing remote code execution

Foscam is an OEM, and sells their camera products to a number of rebadge vendors. So some, or all, these issues may be present in devices from Chacon, Thomson, 7links, Opticam, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode, and Sab. 

Distrubingly, but perhaps unsurprisingly, F-Secure was unable to get a response from Foscam when these issues were responsibly disclosed. According to Foscam US, they had tried to pressure their Shenzhen counterparts to address the issues, and made the information available to their customers on  June 14 to put the pressure on. This appears to have worked, as Foscam Shenzhen released a firmware update shortly thereafter.

The bad news is that there are a lot of models potentially impacted in this case. The good news is that there are updates now available. If you have cameras from any of these brands, if would be a good idea to check for updates ASAP. While there have not been any reported attacks as yet, the knowledge of these issues (even without proof of concept code) will have the bad guys looking at these cameras intently.