White-box security webcam scatters vulnerabilities through multiple OEMs

Hands up anyone who tests what they stick their labels on. Anyone? We thought not

17 Reg comments Got Tips?

The Internet of Things got just a lot worse, with F-Secure unravelling eighteen vulnerabilities in IP cameras from Chinese vendor Foscam.

The company complains that after several months, “no fixes have been issued” – in other words, situation normal in IoT-land.

The bugs are spread far and wide, because while only two discrete units (one under the Foscam brand, one sold as Opticam) were tested, F-Secure named a bunch of other brands that use Foscam internals: Chacon, Thomson, 7links, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode and Sab.

The two target units were the Opticam i5 running system firmware and application firmware; and Foscam's C2 running system firmware and application firmware

Pretty much everything F-Secure turned to sludge.

In order from the report (PDF), the vulnerabilities run quite a gamut: hard-coded credentials in various places, command injections, permission errors, credential leaks, cross-site scripting and more.

If, as an attacker, access via an FTP server with an empty password looks too easy, you could exploit the boot shell script, which is world-writable; or you could brute-force the Web interface, FTP or RTSP, none of which restrict login attempts, knowing that you can run these attacks even when the built-in firewall is enabled, because it doesn't work properly.

F-Secure provided three examples of attacks: adding a root user without authentication, and switching on the telnet daemon to log in and use FTP to drop a persistent payload (also unauthenticated) – which makes the ability for an authenticated attacker to add a new root user, enable telnet and log in as root look all too easy. ®

Update, June 20: Foscam has responded to the report saying the vulnerabilities have been addressed. More information here. ®


Biting the hand that feeds IT © 1998–2020