Multiple Vulnerabilities Found in Popular IP Cameras
The vulnerabilities, 18 in all, were uncovered by F-Secure, who specifically found them in the Optical i-5 and Foscam C2 digital cameras. F-Secure warns, however, that these vulnerabilities will likely exist throughout the Foscam range and potentially in all 14 separate brands that it knows to sell Foscam cameras.
The flaws include insecure standard credentials, hard-coded credentials, concealed and undocumented Telnet features, command injection flaws, lacking authorization, improper access control, cross-site scripting, and a buffer overflow. All are detailed in a study (PDF) published today.
“Security has been ignored in the design of these products, ” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and dispatch them. This lack of attention to security places users and their systems at risk. The mystery is that this device is marketed as a way of getting the physical environment safer — however, it the actual digital environment less so.
While attention on IoT device security — especially cameras — has recently been focused on the Mirai botnet and the most significant DDoS attack up against the internet infrastructure in history, the amount and severity of the Foscam vulnerabilities are particularly concerning. “These weaknesses are as bad as it gets, ” mentioned Harry Sintonen, the F-Secure senior security consultant who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An opponent can exploit them one by one, or blend and match to get greater degrees of the advantage of the device and the network. ”
F-Secure gives several example problems against the products. To get the example, unauthenticated users capable of accessing a specific slot are able to use a command injections to include a new basic user for the device and permit a normal remote control login service (Telnet). In that case, when logging in through this remote login service, they have admin rights on the device.
A second attack could take good thing about three individuals weaknesses. “The empty password on the FTP user accounts can be used to log in, ” points out the F-Secure report. “The hidden Telnet functionality can then be activated. Following this, the attacker can access the world-writable (non-restricted) file that controls which programs operate on boot, and the attacker may add his own to the list. This allows the attacker persistent access, even if the device is rebooted. In fact, the attack requires the device to be rebooted, but there is also a way to power a reboot as well.
Since there are no fixes yet available from Foscam, F-Secure suggests that users only set up the cameras within a dedicated network or VLAN. In this case, it notes, changing the standard password will not increase security since, “because of the Foscam IP cameras’ use of a hard-coded license, in this case, an attacker can bypass unique credentials. ”
Remediation responsibility, however, remains with the maker. F-Secure lists dose advice for Foscam, starting from getting “a truly random default administrative password” with a password label attached to underneath of the device, to eliminating built-in credentials and the implementation of a proper tables firewall.
In standard, F-Secure advises vendors to design security into their products from the beginning. “Having product security processes in place, ” says the report, “and investing even modest resources into security is a differentiator from competitors. This can work to vendors’ advantage when regulation enforces secure design practices. ”