Multiple vulnerabilities have been found in China’s Foscam-made IP cameras. The vulnerabilities were reported to the manufacturer several months ago, but no fixes have been made available. Foscam cameras are sold under different brand names, such as OptiCam. Users are advised to check on the manufacture of any IP cameras, and if necessary, take their own mitigation steps.
The vulnerabilities, 18 in all, were discovered by F-Secure, who specifically found them in the Opticam i5 and Foscam C2 cameras. F-Secure warns, however, that these vulnerabilities will likely exist throughout the Foscam range and potentially in all 14 separate brand names that it knows to sell Foscam cameras.
The flaws include insecure default credentials, hard-coded credentials, hidden and undocumented Telnet functionality, command injection flaws, missing authorization, improper access control, cross-site scripting, and a buffer overflow. All are detailed in a report (PDF) published today.
“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure — however, it makes the virtual environment less so.”
While attention on IoT device security — especially cameras — has been focused by the Mirai botnet and the largest DDoS attack against the internet infrastructure in history, the quantity and severity of the Foscam vulnerabilities is particularly concerning. “These vulnerabilities are as bad as it gets,” commented Harry Sintonen, the F-Secure senior security consultant who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”
F-Secure gives several example attacks against the products. For example, unauthenticated users able to access a specific port can use a command injection to add a new root user for the device and to enable a standard remote login service (Telnet). Then, when logging in through this remote login service, they have admin privileges on the device.
A second attack could take advantage of three of the individual vulnerabilities. “The empty password on the FTP user account can be used to log in,” explains the F-Secure report. “The hidden Telnet functionality can then be activated. After this, the attacker can access the world-writable (non-restricted) file that controls which programs run on boot, and the attacker may add his own to the list. This allows the attacker persistent access, even if the device is rebooted. In fact, the attack requires the device to be rebooted, but there is a way to force a reboot as well.”
Since there are no fixes yet available from Foscam, it is recommended that users only install the cameras within a dedicated network or VLAN. In this case, it notes, changing the default password will not increase security since, “because of the Foscam IP cameras’ use of hard-coded credentials, in this case an attacker can bypass unique credentials.”
Remediation responsibility, however, remains with the manufacturer. F-Secure lists 12 recommendations for Foscam, ranging from the installation of “a truly random default administrative password” with a password sticker attached to the underside of the device, to the removal of built-in credentials and the implementation of a proper iptables firewall.
In general vendors should design security within their products from the beginning. “Having product security processes in place,” says the report, “and investing even modest resources into security is a differentiator from competitors. This can also work to vendors’ advantage when regulation enforces secure design practices.”