White-box security webcam scatters vulnerabilities through multiple OEMs

Hands up anyone who tests what they stick their labels on. Anyone? We thought not

The Internet of Things got just a lot worse, with F-Secure unravelling eighteen vulnerabilities in IP cameras from Chinese vendor Foscam.

The company complains that after several months, “no fixes have been issued” – in other words, situation normal in IoT-land.

The bugs are spread far and wide, because while only two discrete units (one under the Foscam brand, one sold as Opticam) were tested, F-Secure named a bunch of other brands that use Foscam internals: Chacon, Thomson, 7links, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode and Sab.

The two target units were the Opticam i5 running system firmware and application firmware; and Foscam's C2 running system firmware and application firmware

Pretty much everything F-Secure turned to sludge.

In order from the report (PDF), the vulnerabilities run quite a gamut: hard-coded credentials in various places, command injections, permission errors, credential leaks, cross-site scripting and more.

If, as an attacker, access via an FTP server with an empty password looks too easy, you could exploit the boot shell script, which is world-writable; or you could brute-force the Web interface, FTP or RTSP, none of which restrict login attempts, knowing that you can run these attacks even when the built-in firewall is enabled, because it doesn't work properly.

F-Secure provided three examples of attacks: adding a root user without authentication, and switching on the telnet daemon to log in and use FTP to drop a persistent payload (also unauthenticated) – which makes the ability for an authenticated attacker to add a new root user, enable telnet and log in as root look all too easy. ®

Update, June 20: Foscam has responded to the report saying the vulnerabilities have been addressed. More information here. ®

Similar topics


Send us news

Other stories you might like