Security researchers found a number of vulnerabilities in two models of IoT cameras that could allow attackers...
to fully compromise the IoT devices and repurpose them for malicious activity.
A report by F-Secure detailed 18 flaws in the Opticam i5, made by Foscam, and found many of those same flaws in the Foscam C2. F-Secure only investigated the two devices, but said "it is likely that many of these vulnerabilities also exist in other models throughout the company's product line, and in other products Foscam manufactures," under inexpensive white label branding.
One of the most critical vulnerabilities in the devices was the use of non-random, default hardcoded passwords both for admin access to the web user interface and the user account for the built-in FTP server of the IoT cameras. The hardcoded passwords are even more insecure because they are "blank," meaning an attacker could log in to the device with the ID "admin" and no password would be required. And, this hardcoded password could even be used to bypass custom user credentials.
Worse, those aren't the only hardcoded passwords F-Secure found.
"The encrypted Foscam device configuration file contains the admin password, but this file can be exported from the device, and it is protected by hard-coded credentials which cannot be changed by the user," F-Secure wrote in its report. "An attacker who has analyzed the device and discovered the hard-coded credentials can, if they manage to obtain the config back-up file, use these credentials to decrypt the file and discover the admin password inside the file."
Beyond the hardcoded passwords
F-Secure also said it found undocumented Telnet functionality; command injection vulnerabilities; privilege escalation flaws; poor access control, which could allow access even through firewalled ports; and more.
"The sheer number of vulnerabilities offers an attacker multiple alternatives in compromising the device. Among the discovered vulnerabilities are insecure default credentials and hard-coded credentials, both of which make it trivial for an attacker to gain unauthorized access," F-Secure wrote. "Other vulnerabilities allow for remote command injection by an attacker. World-writeable files and directories allow an attacker to modify the code and to gain root privileges. Hidden Telnet functionality allows an attacker to use Telnet to discover additional vulnerabilities in the device and within the surrounding network. In addition, the device's 'firewall' doesn't behave as a firewall, and it also discloses information about the validity of credentials."
According to F-Secure, all of these vulnerabilities taken together could allow an attacker full access to the device and possibly access to other networked devices. A malicious actor could set up persistent access to the insecure IoT devices and even use them as part of a botnet or DDoS attack.
Because the hardcoded passwords could allow access regardless of user settings, F-Secure said the best option to mitigate risk would be that "users only install the cameras within a dedicated network or VLAN."
Learn eleven key takeaways from IoT botnet attacks.
Find out about the Mirai worm that spread through IoT devices via Telnet.
Get info on why embedded security is a must for IoT devices.