According to a report submitted by the security company called F-Secure, the security cameras made by a Foscam company from China have some notable flaws. For example, they’re extremely vulnerable to hacking attacks that when an attack is performed, the cameras might allow the hacker to see video feeds, compromise other devices, download existing files and more.
Up to 18 different vulnerabilities were documented by the researchers, first of which were reported several months ago. However, the company has yet to fix any of them. The brand that has all of these flaws is called Opticam i5 HD, while some flaws were found on the model marked Foscam C2. According to the report [Pdf], it’s possible that other models developed by the same manufacturer may carry similar flaws.
The research claims that the number of flaws can offer any attacker many ways of infecting the device. One of the flaws includes both unsecured, as well as hard-coded credentials. In both cases, a potential hacker can easily gain access to the devices. It’s also possible to use other flaws for the purpose of getting remote command injections.
The report also says that attackers can even modify the code of these devices or get to the root privileges by accessing world-writeable files. It’s also possible for an attacker to use Telnet and find even more flaws in the device, or its surrounding network. Also, the firewall protecting the devices doesn’t even act like one.
“The sheer number of vulnerabilities offers an attacker multiple alternatives in compromising the device. Among the discovered vulnerabilities are insecure default credentials and hard-coded credentials, both of which make it trivial for an attacker to gain unauthorized access. Other vulnerabilities allow for remote command injection by an attacker. World-writeable files and directories allow an attacker to modify the code and to gain root privileges. Hidden Telnet functionality allows an attacker to use Telnet to discover additional vulnerabilities in the device and within the surrounding network. In addition, the device’s “firewall” doesn’t behave as a firewall, and it also discloses information about the validity of credentials.”
All in all, these vulnerabilities are leaving a lot of possibilities for capable hackers, including the chance to use them in a botnet and launch DDoS attacks. And of course, accessing private videos, or using the devices as a bridge to infecting other devices from the same network can also be expected. It’s even possible to replace camera’s regular firmware with a malicious one, and not even be detected while doing it.
The report also mentioned that both models have the same file transfer protocol server that’s built into them. It has an empty account password that can’t be changed by the regular user. It also has a hidden telnet function that will allow hackers to widen the abilities of the device and the programming scripts have incorrect permissions which run whenever the device starts.
These three flaws can be exploited heavily by the attackers and they can be used for getting remote access to the devices. The report says that the empty password can even be used for logging in, which leads to activation of the Telnet functionality. The hackers can then get to the world-writable file and use it to control which of the programs can run on boot. Even if the device is rebooted, the attacker will still have access.
Researchers then said that the company was alerted and that these vulnerabilities were pointed out to them a few months ago. Still, it would seem that none of them have been fixed. There were no security updates and F-Secure has refused to release the proof of the exploits. They also said that they’d found such flaws in 14 different brands, besides Opticom and Foskam.
Those are Sab, Chacon. Ivue, 7links, Ebode, Thomason, Qcam, Opticam, Nexxt, Netis, Techanaxx, Turbox, Ambientcam, and Novodio.
F-Secure suggests that for now running any of these devices is dangerous and users are recommended to do so only inside a dedicated local network and don’t give them access to other devices. IoT users should change their default passwords and check for updates on regular basis.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.