Update 19 June 2017 – Foscam has updated their firmware to address these vulnerabilities. We are investigating the firmware update to verify that the issues have been resolved.
The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.
F-Secure and companies like us are discovering vulnerabilities in internet-connected “things” all the time. And Hypponen’s Law was proved yet again recently with the discovery of multiple vulnerabilities within two IP security cameras made by Chinese manufacturer Foscam. As detailed in our new report, F-Secure has identified 18 different vulnerabilities in the cameras that, if exploited, allow for an attacker to take control of the camera and view and download the video feed.
This is nothing new – we’ve all heard stories about hacker voyeurs spying on unsuspecting victims. But what shouldn’t be forgotten is that this device is not just a camera, it’s also a server. A vulnerable server that gives an attacker a foothold into the rest of the network, as F-Secure’s Janne Kauhanen explains in this video.
If this device happens to be in a corporate network and an attacker gains access to the network, the attacker could infect it with malware that would grant the attacker access to the rest of the network and its resources.
Networks in flux
The network perimeter is dissolving, and has been for years. With cloudification, consumerization, and a mobile work force, devices, assets and data that used to be inside are now outside, and what was out is now in. The Internet of Things further erases this network perimeter, with smart “things” extending the network far beyond workstations, laptops, smartphones or tablets.
Kauhanen put it this way: “IoT brings more devices into your networks that you don’t think of as network devices. This leads to a shadow IT situation where companies are not aware of all the devices in their networks. And if you don’t know about something, you can’t protect it.”
Harry Sintonen, our security consultant who found the vulnerabilities, says he’s never seen any device quite so poorly designed. “These vulnerabilities are as bad as it gets,” he said. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”
Many of the vulnerabilities that plague this camera are about neglect. Neglecting to make default passwords random, neglecting to lock out users who attempt too many incorrect passwords, neglecting to restrict access to critical files and directories. And some of them are about capabilities that shouldn’t be there – like hidden Telnet access, or hard-coded credentials that allow an attacker to bypass even a user’s unique password.
But they all point to one thing: manufacturers’ chronic overlook of the issue of security. This problem permeates smart “things” in general. Security is not a selling point, so manufacturers don’t invest in it. This has led to legions of insecure cameras, routers, thermostats, DVRs, water kettles, cars, you name it.
And that’s a problem that doesn’t just affect the owners of these devices. Last autumn, unprecedented DDoS attacks employed armies of insecure, malware-infected IoT devices to bring down large swaths of the internet. The attacks proved that if we don’t get IoT security right, the whole internet is at risk.
Finding and infecting these devices is no problem for attackers out there, because manufacturers have made it pretty easy. Says Kauhanen, “If one of these devices is in your network, I guarantee, the bad guys are gonna find it.”
While it may sound like doom and gloom, there’s hope, say F-Secure experts. While regulation is never an ideal solution, it would help to get manufacturers’ attention on security.
“Many industries go through this process, where we realize there security issues to solve,” says Sean Sullivan, Security Advisor at F-Secure. “Cars, for example – eventually we realized seatbelts would be a good idea. IoT is going through the same process. In ten years, these issues will have worked themselves out. The question is, do you want these problems to dull your competitive edge in the meantime?”
For business, getting out in front of the problem means making sure these kinds of devices are in a separate network, not exposed to the internet. And it means adopting a holistic, multi-layer approach to security. Get a good picture of what is going on inside your network. Understand your attack surface, and minimize it.
For companies who build IoT devices, focusing on security now will put you ahead of the game when regulations begin to be enacted. So if you’re making smart things, design security into the software from the very beginning. Having product security processes in place and investing even modest resources into security differentiates you from the rest of the pack. This can work to your advantage, especially when regulations are put into place. You can learn more about designing secure systems from this talk by F-Secure principle security consultant Olle Segerdahl.