The vulnerabilities allow an attacker to remotely control a device and its video feed and download files from its built-in server. If an exploited device has access to a local area network, the attacker could access the network and its resources. An attacker could also use a device to perform other malicious activity, such as DDoS attacks against other parties.
“These vulnerabilities are as bad as it gets,” said Harry Sintonen, senior security consultant at F-Secure, who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”
The discovery is the latest in a long list of internet-enabled “things,” or smart devices, that are not adequately secured to withstand modern attacks that take place constantly across the internet. Smart cars, CCTV cameras, DVRs, water kettles and routers are just some of the devices that have been found to be woefully insecure. The problem has been magnified by botnets such as Mirai, which co-opted internet-exposed insecure cameras and DVRs to orchestrate last October’s giant internet outage – the largest DDoS attack against the internet infrastructure in history.
The vulnerabilities, which number 18 in total, offer an attacker multiple ways to compromise the device. Insecure, hard-coded and empty credentials give attackers easy administrator level access allowing full control over the device. The software neglects to restrict access to critical files and directories, allowing an attacker to modify them with their own commands. An attacker can also perform remote command injection, cross-site scripting, buffer overflows and brute force password attacks, among other malicious actions, to ultimately fully compromise the device and access the network.
“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure – however, it makes the virtual environment less so.”
Chinese manufacturer Foscam makes a number of IP cameras. Some are white-labeled and sold under various other brand names, one of which is OptiCam. The two models Sintonen investigated are the OptiCam i5 HD device and the Foscam C2. Sintonen says it’s likely many of these vulnerabilities also exist in other products Foscam manufactures.
Sintonen recommends keeping these devices in a separate network, not exposed to the internet. “Changing the default password is also a best practice that should always be followed,” he said. “Unfortunately, with these devices, hard-coded credentials can allow an attacker bypass the password even if it’s changed.”