Chicken Little

Security camera insecurity “as bad as it gets”

 “The whole internet is at risk.”
—apparently not an exaggerated claim

Chinese IP security cameras are seeing some close scrutiny—yet again. But this time, it seems that one particular maker has utterly excelled itself.

Not only are certain cams chock-full of “very severe” vulnerabilities, but the manufacturer is said to have done nothing about it for “several months.” So some security researchers finally gave up waiting and are going public with the dreadful, dreadful news.

Seriously, if you have one of these, you might consider disconnecting it from the Internet. In this week’s Security Blogwatch, we stand open-mouthed in amazed wonderment.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Blocking IRL (see video below).


What’s the craic? Dan Goodin breaks the story—Internet cameras have hard-coded password that can’t be changed:

​Security cameras manufactured by China-based Foscam are vulnerable…according to a 12-page report released Wednesday​. … Researchers at F-Secure documented 18 vulnerabilities…likely to exist in many…camera models Foscam manufactures.

The vulnerabilities are compounded by the ability to permanently replace the normal firmware…with malicious firmware. … The researchers went on to say that they notified Foscam…several months ago [but] the manufacturer hasn't fixed any of…the vulnerabilities.


So, time to change your passwords, right? G’day, Liam Tung—Changing the default password on buggy Foscam IP cams won't stop hackers:

Most of the bugs are “very severe and easily exploited.” … An attacker can use a combination of the bugs to gain persistent remote access, and create a new root user.

It was exactly these types of bugs that allowed the Mirai malware to bulk up on hundreds of thousands of IoT devices. … Foscam [has] been held up as an example of all that’s wrong with the Internet of Things on several occasions. … Even if users created a new password, an attacker could [use] Foscan's hard-coded credentials.


Are you scared yet? F-Secure’s Melissa Michael and Harry Sintonen bring this enterprisey warning—IoT Could Dull Your Competitive Edge:

[It’s] what we call Hypponen’s Law: If it’s smart, it’s vulnerable. … We’ve all heard stories about hacker voyeurs spying on unsuspecting victims. But…this device is not just a camera, it’s also a server.

In a corporate network [an] attacker could infect it with malware that would grant…access to the rest of the network. … These vulnerabilities are as bad as it gets. … They allow an attacker to pretty much do whatever he wants.

This problem permeates smart “things”. … Security is not a selling point, so manufacturers don’t invest in it.

If we don’t get IoT security right, the whole internet is at risk.


And it’s not just Foscam-branded cams, oh no. Richard Chirgwin ramps up the fear—White-box webcam scatters vulnerabilities through multiple OEMs:

The Internet of Things got just a lot worse. … Other brands … use Foscam internals: Chacon, Thomson, 7links, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode and Sab.

The vulnerabilities run quite a gamut: [including] command injections, permission errors, credential leaks, [and] cross-site scripting. … You could exploit the boot shell script, which is world-writable. … Or you could brute-force the Web interface, FTP or RTSP…even when the built-in firewall is enabled.


Time for an appropriate pseudonym? “unequivocal” is, well, far from equivocal: [You’re fired -Ed.]

That list of attack vectors reads like a clown car. You couldn't make [it] more vulnerable if you were specifically designing [it] with that in mind.


So how do we fix the problem? Paul Wagenseil told ya so, but thinks he has the solution—Foscam Security Cameras Full of Security Flaws:

We've said it before, and we'll say it again: Don't buy cheap…security cameras, because their security may just be terrible. … The flaws are staggeringly bad.

Foscam makes…commercial security cameras used by businesses and retailers. [They] could greatly endanger a company's computer network. … There's not much [people] can do to protect themselves, other than not connecting the cameras to the internet, which kind of defeats the purpose of an internet-connected security camera.


UPDATE: What does Foscam have to say for itself? Here’s its Security Statement:

This report is unfounded and completely ignores these standard security measures implemented in our cameras: … Foscam App and MyFoscam.com [do] not allow the customer to use the camera until the login credentials have been updated and secured.

Foscam's hard-coded FTP credential only allows access from a local network, no remote FTP. [The] security policy protects from brutal force hacking by locking out the account after 6 failed login attempts within 30 seconds.


The moral of the story? If you're selling a product or service, don’t ignore security researchers’ vulnerability reports—even if you think they’re “unfounded.”

And finally…

Wouldn’t it be handy to block jerks in real life?


 

You have been reading Security Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or sbw@richi.uk.

Image source: Flickr

Topics: Security