White-box webcam scatters vulnerabilities through multiple OEMs
Hands up anyone who tests what they stick their labels on. Anyone? We thought not
The Internet of Things got just a lot worse, with F-Secure unravelling eighteen vulnerabilities in IP cameras from Chinese vendor Foscam.
The company complains that after several months, “no fixes have been issued” – in other words, situation normal in IoT-land.
The bugs are spread far and wide, because while only two discrete units (one under the Foscam brand, one sold as Opticam) were tested, F-Secure named a bunch of other brands that use Foscam internals: Chacon, Thomson, 7links, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode and Sab.
The two target units were the Opticam i5 running system firmware 220.127.116.11 and application firmware 18.104.22.168; and Foscam's C2 running system firmware 22.214.171.124 and application firmware 126.96.36.199.
Pretty much everything F-Secure turned to sludge.
In order from the report (PDF), the vulnerabilities run quite a gamut: hard-coded credentials in various places, command injections, permission errors, credential leaks, cross-site scripting and more.
If, as an attacker, access via an FTP server with an empty password looks too easy, you could exploit the boot shell script, which is world-writable; or you could brute-force the Web interface, FTP or RTSP, none of which restrict login attempts, knowing that you can run these attacks even when the built-in firewall is enabled, because it doesn't work properly.
F-Secure provided three examples of attacks: adding a root user without authentication, and switching on the telnet daemon to log in and use FTP to drop a persistent payload (also unauthenticated) – which makes the ability for an authenticated attacker to add a new root user, enable telnet and log in as root look all too easy. ®
Update, June 20: Foscam has responded to the report saying the vulnerabilities have been addressed. More information here. ®