In this young century, webcams have transitioned from a futuristic novelty to being, well, everywhere. The ability to capture images and video of anything anywhere played a key role in the explosion of social media, but our camera-drenched society also can make us feel uniquely vulnerable. The idea of a hacker being able to co-opt these digital eyes to capture us in our most intimate moments makes our ability to secure these digital eyes especially worrisome.
The utility of cameras, especially for physical security purposes, has made them one of the most common devices being connected to the so-called Internet of Things or, as Mikko Hypponen, F-Secure’s Chief Research Officer calls it, “the Internet of Insecure Things.”
And the insecurity of the IoT isn’t just some theoretical concept to be dealt with in the future when everything is connected. A new F-Secure report “Vulnerabilities in Foscam IP Cameras” finds multiple vulnerabilities plaguing tens of thousands of web-connected cameras around the globe.
“Foscam-made IP cameras have multiple vulnerabilities that can lead to full device compromise,” the report says. “An unauthenticated attacker can persistently compromise these cameras by employing a number of different methods leading to full loss of confidentiality, integrity and availability, depending on the actions of the attacker.”
These vulnerabilities — 18 in total, with all 18 found in the Opticam i5, and several in the Foscam C2, as well — make it possible to remotely take control of these stand-alone cams, which are often used to detect unwanted visitors.
(UPDATE: Foscam has updated their firmware to address these vulnerabilities. We are investigating the firmware update to verify that the issues have been resolved.)
“For example, an attacker can view the video feed, control the camera operation, and upload and download files from the built-in FTP server.” Not only that, with the help of some malicious code, attackers can leverage this camera to access the rest of the network it’s in.
Foscam has been notified about the findings, and F-Secure is going public after receiving no response for months. Foscam has a history of bugs allowing access to video feeds on IP cameras and baby monitors.
Janne Kauhanen of F-Secure Cyber Security Services advises that all users of all smart devices change their default passwords, always. No exceptions. But even that would not necessarily be enough to protect these vulnerable Foscam-made cameras, which include factory hard-coded credentials that cannot be changed by the user. An attacker who knows these hard-coded credentials (by finding them published on the internet, for example, which often happens) can use them to bypass the user’s own unique credentials.
And this is just one of the crop of vulnerabilities. Harry Sintonen of Cyber Security Services, who discovered them, describes them as “as bad as it gets.” The sheer number of vulnerabilities allows an attacker to pick and choose from multiple ways to take over the camera.
If you happen to have one of these cameras in your home, make sure that it is NOT exposed to the public internet. A firewall significantly reduces the risk of infection. And a smart security router like F-Secure SENSE —which uses artificial intelligence to sense the traffic of all your connected home devices — can also detect if your cameras or baby monitors are being misused.
The intimacy we grant cameras presents a unique opportunity to highlight the dangers of putting everything online without prioritizing security. And it’s an issue that needs highlighting now.
Even after co-opted IoT devices were used as part of the largest denial of service attack in history, manufacturers have demonstrated no eagerness to address this growing problem.
“The problem is bigger than this camera, this manufacturer,” said Janne said. “Smart devices, in general, are vulnerable. I think this is because manufacturers don’t consider security a selling point. And consumers certainly aren’t demanding it.”
Perhaps the idea of tens of thousands of vulnerable cameras might begin to change that.
To read more, and to learn how to protect your business, check out our full report and video.