Widely used wireless IP cameras open to hijacking over the Internet, researchers say

Wireless IP cameras from Foscam and other vendors have serious security issues, researchers said at Hack in the Box

Thousands of wireless IP cameras connected to the Internet have serious security weaknesses that allow attackers to hijack them and alter their firmware, according to two researchers from security firm Qualys.

The cameras are sold under the Foscam brand in the U.S., but the same devices can be found in Europe and elsewhere with different branding, said Qualys researchers Sergey Shekyan and Artem Harutyunyan, who analyzed the security of the devices and are scheduled to present their findings at the Hack in the Box security conference in Amsterdam on Thursday.

Tutorials provided by the camera vendor contain instructions on how to make the devices accessible from the Internet by setting up port-forwarding rules in routers. Because of this, many such devices are exposed to the Internet and can be attacked remotely, the researchers said.

Finding the cameras is easy and can be done in several ways. One method involves using the Shodan search engine to search for an HTTP header specific to the Web-based user interfaces of the cameras. Such a query will return more than 100,000 devices, the researchers said.

The vendors selling these cameras also have them configured to use their own dynamic DNS services. For example, Foscam cameras get assigned a hostname of the type [two letters and four digits].myfoscam.org. By scanning the entire *.myfoscam.org name space an attacker could identify most Foscam cameras connected to the Internet, the researchers said.

Around two out of every 10 cameras allow users to log in with the default "admin" user name and no password, the researchers said. For the rest that do have user-configured passwords, there are other ways to break in.

One method is to exploit a recently discovered vulnerability in the camera's Web interface that allows remote attackers to obtain a snapshot of the device's memory.

This memory dump will contain the administrator user name and password in clear text along with other sensitive information like Wi-Fi credentials or details about devices on the local network, the researchers said.

Even though the vendor has patched this vulnerability in the latest firmware, 99 percent of Foscam cameras on the Internet are still running older firmware versions and are vulnerable, they said. There is also a way to exploit this vulnerability even with the latest firmware installed if you have operator-level credentials for the camera.

Another method is to exploit a cross-site request forgery (CSRF) flaw in the interface by tricking the camera administrator to open a specifically crafted link. This can be used to add a secondary administrator account to the camera.

A third method is to perform a brute-force attack in order to guess the password, because the camera has no protection against this and the passwords are limited to 12 characters, the researchers said.

Once an attacker gains access to a camera he can determine its firmware version, download a copy from the Internet, unpack it, add rogue code to it and write it back to the device.

The firmware is based on uClinux, a Linux-based operating system for embedded devices, so technically these cameras are Linux machines connected to the Internet. This means they can run arbitrary software like a botnet client, a proxy or a scanner, the researchers said.

Since the cameras are also connected to the local network, they can be used to identify and remotely attack local devices that wouldn't otherwise be accessible from the Internet, they said.

There are some limitations to what can be run on these devices since they only have 16MB of RAM and a slow CPU and most of the resources are already used by its default processes. However, the researchers described several practical attacks. One of them involves creating a hidden backdoor administrator account that's not listed on the Web interface.

A second attack involves modifying the firmware to run a proxy server on port 80 instead of the Web interface. This proxy would be set up to behave differently depending on who's connecting to it.

For example, if the administrator accesses the camera over port 80 the proxy would display the regular Web interface because the administrator wouldn't have his browser configured to use the camera's IP address as a proxy. However, an attacker who configures their browser in this manner would have their connection tunneled through the proxy.

A third attack scenario involves poisoning the Web interface to load a remotely hosted piece of JavaScript code. This would allow the attacker to compromise the camera administrator's browser when he visits the interface.

The researchers released an open-source tool called "getmecamtool" that can be used to automate most of these attacks, including injecting executable files into the firmware or patching the Web interface.

The only thing that the tool doesn't automate is the authentication bypass attacks, the researchers said. The tool requires valid log-in credentials to be used for the targeted camera, a measure the researchers took to limit its abuse.

The cameras are also susceptible to denial-of-service attacks because they can only handle around 80 concurrent HTTP connections. Such an attack could be used, for example, in order to disable the camera while performing a robbery, the researchers said.

The best thing is for these cameras not to be exposed to the Internet, the researchers said. However, if this is needed, then the cameras should be deployed behind firewalls or intrusion prevention systems with strict rules.

Access to them should only be allowed from a limited number of trusted IP addresses and the maximum number of concurrent connections should be throttled, they said. Isolating the cameras from the local network is also a good idea, in order to prevent them from being abused to attack local devices.

Join the PC World newsletter!

Error: Please check your email address.

Tags consumer electronicsNetworkingsecuritywirelessHITBAccess control and authenticationspywareExploits / vulnerabilitiesqualys

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?