Chinese firm Foscam has published firmware updates to address three vulnerabilities in multiple models of IP-based cameras. The flaws, when exploited, allow an attacker to take control of vulnerable cameras, and especially those left connected online via a public IP address.
These vulnerabilities have been discovered in the past month by security researchers from VDOO, a company specialized in IoT security.
VDOO says the three vulnerabilities are CVE-2018-6830, CVE-2018-6831, and CVE-2018-6832, and that an attacker can chain the three together in the following way to take over Foscam cameras.
VDOO experts claim the security bugs occurred because of multiple reasons, such as (1) device processes running as root; (2) using external processes (shell commands) for trivial tasks instead of using programming APIs and libraries; (3) bad input sanitization; and (4) use of weak encryption to protect the device's firmware from external analysis.
The good news is that Foscam responded positively to the VDOO report, and issued firmware updates to address the flaws in its products, even thanking VDOO for their work.
This is a major change of attitude from a company that last year ignored reports of 18 security bugs discovered by F-Secure researchers.
VDOO researchers said they have not seen any botnet or threat actor exploiting the reported issues before the publication of their report. Nonetheless, this will no doubt change, as botnet herders are known to be quick to weaponize IoT vulnerabilities to their advantage.
VDOO has published a technical write-up containing more information about each of the three vulnerabilities, including proof-of-concept code to reproduce the bug.
The VDOO write-up also contains the following table with the affected Foscam camera models and the firmware version that contains fixes for the reported issues. Instructions on how to update Foscam camera firmware are available here. Users are advised to update as soon as possible.
Besides the camera models listed in the table below, camera models from other vendors are also affected. This is because Foscam is one of the biggest sellers of white-label IP cameras that other vendors buy and put their logo on top, without customers knowing they're actually running a Foscam device. Unfortunately, this information is impossible to track down, and users are left at the mercy of the second-hand buyer who is now responsible of taking the Foscam firmware patches and sending it downstream to its own customers.
|Camera models||Application firmware version|
|C1 Lite V3||220.127.116.11|
|C1 Lite V2||18.104.22.168|