Multiple severe security flaws discovered in Foscam cameras
Thu 8 Jun 2017
Security researchers at F-Secure have discovered multiple security flaws in Foscam-manufactured internet video cameras. These flaws are severe and may result in an attacker gaining access to live video and video files, as well as the local network.
Vulnerabilities in the Foscam cameras allow a malicious entity access to private videos that could then be uploaded or downloaded to offsite servers or to the internet. Attackers could exploit them to take control of the camera operations, infect the device or network with malware, or use the compromised camera for DDoS attacks or other activities.
F-Secure reports that 18 different vulnerabilities were found in the Opticam i5, including admin passwords that are not only hard-coded but are the same from one device to the next. The built-in FTP user account is hard-coded as well, which, combined with the fact that the hard-coded admin password is insecure, allows an intruder access to upload and download files and view the RTSP video feed.
The configuration backup file is also protected by hard-coded credentials which, if accessed, would allow a hacker to decrypt the configuration file.
The cameras include a hidden Telnet functionality, which is not included in any specifications for the device. An attacker could use Telnet to scan the device or the network it is connected to for additional vulnerabilities.
Command injection vulnerabilities in the User Add and boot functions exist, but require valid administrative credentials. More troubling is the remote command injection vulnerability in the ONVIF implementation, which would allow an attacker several avenues of anonymous access to the camera and to the local network.
The cameras are vulnerable to brute force attacks, as there are no restrictions on multiple failed login attempts. While a firewall exists, it only limits access to the web user interface. Additionally, due to a variation in reported error messages, the firewall actually reveals information about administrative credentials, making even firewalled credentials vulnerable to a brute force attack.
While only two models of Foscam-made cameras were studied for vulnerabilities, the team believes that the security flaws discovered are endemic to the full line, and likely affect all 14 brands that market Foscam-manufactured internet video cameras. These brands include Chacon, Thomson, 7Links, Turbox, Novodio and Ambientcam, in addition to the Foscam C2 and Opticam i5, which were the focus of the security research.
Foscam cameras have been cited for security vulnerabilities as far back as 2013, when researchers from Qualys showed that authentication flaws allowed attackers to access the camera’s memory files, infect the device and LAN with malware, and gain remote access to the device.