Changing the default password on buggy Foscam IP cams won't stop hackers

[Updated: Foscam has released a patch for these issues]

Two models of Foscam-made IP cameras have multiple bugs that allow anyone one the internet to view video feeds, control the camera and gain access to the network the devices operate on.

Security firm F-Secure has detailed 18 vulnerabilities in the two cameras from Shenzhen-based security camera maker, Foscam. Most of the bugs are “very severe and easily exploited by an attacker”, says the Finnish security company. 

The flaws range from hard-coded and default credentials to hidden Telnet connections, and a firewall that leaks enough details that an attacker can brute force credentials. An attacker can use a combination of the bugs to gain persistent remote access, and create a new root user.

Besides threats to the user, F-Secure reminds that it was exactly these types of bugs that allowed the Mirai malware to bulk up on hundreds of thousands of IoT devices to launch last year’s assault on Dyn, which blocked millions of people from accessing Amazon, Twitter, Spotify and dozens of other popular sites.

The affected models are the Opticam i5 HD and Foscam C2, though the devices may also be sold under several different brands that rebadge Foscam hardware. F-Secure estimates there are tens of thousands of these vulnerable devices exposed on the internet.

Foscam is a popular brand, best known for making affordable internet-connected cameras for 'DIY' security systems in homes and businesses, as well as baby camera/monitors. It's also been held up as an example of all that’s wrong with the Internet of Things on several occasions.

Last year it was called out for a ‘feature’ in some security camera models that made it extremely difficult for the user to stop the devices from connecting to a peer-to-peer (P2P) network operated by Foscam. The firm boasts in product documents that the P2P functionality makes it easier for users to link a phone to the camera for remote monitoring. 

However, it was the security of Foscam’s internet-connected baby monitors that caught the public’s attention in 2013 after someone hacked one of its devices to talk smut to a sleeping baby.      

As with other examples of poorly secured IoT devices, F-Secure puts Foscam's latest acts of negligence down to prioritizing rapid shipping over security. 

Foscam is aware of the importance of changing the default username and password on its devices. In a 2015 press release it urged customers to do this and ensure the latest firmware is installed. 

However, even if users created a new password, an attacker could bypass Foscan's hard-coded credentials in the two current models in question. 

Also, Foscan's latest firmware doesn't account for F-Secure's 18-bug find. F-Secure says it published details of the bugs today because Foscam had not released new firmware updates despite being notified several months ago.

“Because there appear to be no fixes available, we have refrained from publishing exploit code for practical proof-of-concept attacks,” F-Secure said.

Foscam provided CSO Australia with the following statement: 

We've conducted a thorough review and fixed all issues with firmware upgrades where necessary. In the interest of fairness, we feel it is important to clarify three things about the genesis of the negative PR which has resulted from this third party report from F-secure: 

1) The 18 items cited in the report were actually so minor in nature as to be virtually non-existent:
• They generally required the strong administrator password to be cracked before any unauthorized activity could be attempted (at which point just like for any PC or smartphone, with the administrator password a user already would have system control, making any vulnerabilities dependent on this condition so negligible as to be almost theoretical or academic in nature).

• There were therefore zero reports of any security breaches ever occurring in any products used by customers, due to the extremely improbable nature of the exploits.

2) The F-secure report was circulated via email and online by "Foscam.us". The company “Foscam.us” is actually a former distributor who became our competitor, and they do not officially represent Foscam or its products.

• Our competitor was not motivated to disclose the fact that these cited vulnerabilities were so improbable, or the fact that there are still, to date, zero recorded instances of a breach occurring.

3) Nonetheless, our last firmware update (which we recommend installing via the Foscam App, but which is also available on foscam.com ) completely addresses and fixes all items in this third-party report, because we always do whatever we can to stay ahead of industry standards and err on the side of caution, even when no truly substantive risks are present.