Fosscam IP camera

IP cameras manufactured by Chinese vendor Fosscam are riddled with security flaws that allow an attacker to take over the device and penetrate your network.

The issues came to light yesterday when Finnish cyber-security firm F-Secure published its findings after Fosscam failed to answer bug reports and patch its firmware.

Below is a list of 18 vulnerabilities researchers discovered in Fosscam IP cameras:

1. Non-random default credentials for web user interface account
2. FTP server account uses empty password
3. FTP server account has a hard-coded password
4. Configuration back-up file is protected by hard-coded credentials
5. Hidden hard-coded credentials for web user interface
6. Hidden Telnet functionality
7. Remote command injection in User Add
8. Remote command injection in /mnt/mtd/boot.sh via ProductConfig.xml
9. Unauthenticated Remote Command Injection via Anonymous ONVIF SetDNS
10. Incorrect permission assignment for startup script: /mnt/mtd/boot.sh
11. Incorrect permission assignment for directory: /mnt/mtd/app
12. Administrator Credential Disclosure via Anonymous ONVIF GetStreamUri
13. Unauthenticated Reboot via Anonymous ONVIF SystemReboot
14. Leaky firewall feature
15. Missing restriction of multiple login attempts
16. Denial of service of the RTSP video feed
17. Unauthenticated Persistent XSS via Anonymous ONVIF SetHostname
18. Buffer overflow in ONVIF SetDNS

The variety of issues F-Secure researchers discovered means there are multiple ways an attacker can hack one of these devices and use it for various operations.

"For example, an attacker can view the video feed, control the camera operation, and upload and download files from the built-in FTP server," F-Secure says. " They can stop or freeze the video feed, and use the compromised device for further actions such as DDoS or other malicious activity."

"If the device is in a corporate local area network, and the attacker gains access to the network, they can compromise the device and infect it with a persistent remote access malware. The malware would then allow the attacker unfettered access to the corporate network and the associated resources," researchers added.

Many other vendors potentially affected as well

F-Secure researchers say all these vulnerabilities have been confirmed in Fosscam C2 models, but also in Opticam i5, an IP camera sold by another vendor, but based on a white-label Fosscam device.

In fact, researchers suspect that Fosscam has sold the vulnerable IP camera model as a white-label product, which other companies bought, plastered their logo on top, and resold as their own devices. F-Secure says it identified 14 other vendors that sell Fosscam-made cameras, but they have not tested their products as of yet.

Chacon
Thomson
7links
Opticam
Netis
Turbox
Novodio
Ambientcam
Nexxt
Technaxx
Qcam
Ivue
Ebode
Sab

F-Secure recommends that network administrators remove any Fosscam-made IP camera from their network until the Chinese company patches its firmare.

Model Name Vulnerable System Firmware Version Vulnerable Application Firware Version
Foscam C2 1.11.1.8 2.72.1.32
Opticam i5 1.5.2.11 2.21.1.12

More in-depth details and proof-of-concept exploit code is available in F-Secure's report. Below is a video put together by F-Secure, discussing the consequences of using vulnerable cameras on home and business networks.