January 23, 2014

A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the device’s Internet address to view live and recorded video footage, KrebsOnSecurity has learned.

foscamThe issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password. Reached via email, the company’s tech support division confirmed that the bug exists in MJPEG cameras running .54 version of the company’s firmware.

Foscam said it expects to ship an updated version of the firmware (Ver. 55) that fixes the bug by Jan. 25. The new firmware will be published on the company’s website. According to Foscam, the problem affects the following models: FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W, and FI8919W. Foscam users can determine if their camera is affected by following the instructions here.

Don Kennedy, a camera enthusiast and active member of the Foscam support forum who helped to diagnose and report the firmware problem, also posted a workaround for the bug until Foscam issues an official fix. Kennedy said the vulnerability comes on the heels of another Foscam flaw that drew widespread media attention in August 2013, in which some creep reportedly used a similar vulnerability to shout obscenities at a sleeping toddler.

This is just the latest in a string of such discoveries. In 2012, researchers revealed that a large number of IP cameras made by TRENDnet were similarly vulnerable to snooping by outsiders. While these types of vulnerabilities require outsiders to know the exact Internet address of vulnerable cameras, specialized search engines like SHODAN can be used to pinpoint devices that may not be indexed by typical search engines.


42 thoughts on “Bug Exposes IP Cameras, Baby Monitors

  1. Cormac Haydon

    There is youtube accounts dedicated to these feeds. I believe they can play music via the IP camera also.

    1. Old School

      Start with the YouTube search: Foscam hack. A video about the hacker shouting at a baby is listed in the search results. The actual event is not in the video.

      1. DefendOurFree

        There are TOR wiki’s with links to live cams, including security cams.

  2. Robert

    I tried this on my cams running 11.22.2.51 and UI 2.4.10.5 and it DOES NOT work. This version must not be vulnerable so it was likely introduced in .54 only. Oddly I just recently patched all of the cameras and my cameras are FI8918W so I went back and looked at the firmware. There are actually two trains of firmware releases for the camera you have pictured above. The earlier train is not affected at all even on the latest version. This actually only affects 4 cameras of the entire Foscam line which have to be certain late revision numbers of hardware. By all means this is a significant vulnerability but before everyone panics check the model of your Foscam, you likely can’t even install this vulnerable firmware version.

      1. Robert

        Thanks for your feedback Don. I don’t see a .55 firmware anywhere, what am I missing and what did I get wrong? This is the firmware page that I used, is this the wrong firmware download page for Foscam? http://foscam.us/firmware

        1. Don Kennedy

          You can find the .55 system firmware release here:

          http://www.foscam.com/down3.aspx

          Please note: I would read this first because there is a secondary issue that can allow others to FREEZE your camera once .55 is installed:

          http://foscam.us/forum/mjpeg-54-firmware-bug-user-logon-bypass-t8442.html#p40543

          Once you upgrade firmware you can’t go back and downgrade firmware. Using the workaround, it’s possible to somewhat mitigate this issue, without exposing your camera to “At Will” freezes.

          Each camera owner will need to decide what works best for them. At the moment. Upgrading to .55 or implementing the workaround.

          Don

  3. Amy

    Here’s my question. Are webcams, IP cameras and such which are branded as Microsoft, Dell, etc. actually manufactured by these other companies? I presume Microsoft isn’t in the business of manufacturing these kinds of products. It’s just like the GE 30-foot phone cable I bought recently on Amazon – it was actually just GE licensing their name and logo to some Chinese company.

    1. Don Kennedy

      Some IP Camera models do use this same firmware. It’s impossible to guess which ones. Because there are so many different brands and also some IP Cameras with no logon on them. It would be best to try the tester to see if your camera is using this firmware.

      Additionally. Other IP Cameras may use different firmware version numbers that could have the same issue. While this issue is restricted to the .54 System firmware version for Foscam.

      More here:

      http://foscam.us/forum/mjpeg-54-firmware-bug-user-logon-bypass-t8442.html#p40593

      Don

    1. BrianKrebs Post author

      Hey Victor, far be it from me to stop you from advertising your wares on my site, but please tell me: How is your “solution” better than a piece of tape?

      1. JohD

        Ha! This is like that guy on Shark Tank trying to sell the same thing for $9.99 a piece. I’ll rather try Brian’s tape method and spend the money on lunch or a drink.

        1. Fran

          Why would you cover the laptop’s webcam?? Afraid someone can see your face?

      2. Tom Harnish

        How is this a bug? I have a 8904, 8005, and a 8919. Default username on all of them was is ‘admin’, pswd null.

        Out of the box, if you hit OK on login screen you get the dashboard where you change the default login. Then clicking OK doesn’t work any more.

        Given that half the people in the world are dumber than the other half (maybe more), the default logins may not be changed. But does that make it a bug?

        Seems to me, easy set up is a feature, not a bug.

        1. Don Kennedy

          The bug requires NO User Id and NO Password. Which is not the same as using a UserId with no password.

          Don

      3. Anonymous

        I just use a little bit of paper. One day I hope I can upgrade to tape.

  4. John Ervin

    Target/Home Depot/Kohl’s/Wal-Mart and many others use IP based cameras in their security department. Security system at most of these locations is also on the store network, and has the ability to store video on store servers. Many of theses stores are also using wireless pen cameras stored behind pegboard, in high theft departments.

    1. Brand Howard

      What does that have to do with this article? The cameras in stores are on internal private networks and use VPN connections between locations.

  5. Brand Howard

    Not related to this article but why is this site not HTTPS?

    1. Doktor McNasty

      My first guess would be because it isn’t necessary.

      What do you want encryption for?

      Authentication?

      I don’t think Brian really cares who you think you are.

      Content?

      Even more nonsensical. You’re posting public messages what point to encrypt that?

      1. anymouse

        How about if Brian posted something someone didn’t like or that affected their “business model” and they decided to change up what viewers see to a more favorable article?

        1. BrianKrebs Post author

          There is an HTTPS version of this site, but you will likely see cert errors if you load it. I constantly hear about this from readers who run plugins which force https connections where available. And these readers usually send an indignant or self-righteous email about the irony of a security blog having a cert that throws off (overly alarming) alerts. The reason that cert error is there is merely because a few images on the site are not served over https. The only reason that cert is there is because I sometimes have to access my site over networks I don’t control.

          At any rate, I’m with McNasty on this one: Why should this site be https?

          1. timeless

            It would be nice if all sites were available via HTTPS:// with properly configured certificate chains and proper TLS settings.

            If you were one of the sites configured this way, then, perhaps it would be easier to convince others to run HTTPS:// for everything (banks in my experience don’t run their main pages on HTTPS:// by default).

            SPDY requires TLS, so TLS will happen when http2 replaces http, but until then…

            As for why… you often link to important references, there have been links to the free credit report site.

            If I visit your site via http://, then such links could be re-written to fraudulent sites. Just because information on a page is “public” doesn’t mean that there can’t be harm in allowing someone to manipulate it.

            Or similarly, just because the phone number of a caller is public doesn’t mean that harm can’t come from having the number forged, as in SWATTING.

            There can be harm in someone changing the numbers listed in a public directory. It’s why we don’t approve of DNS take-overs.

            1. ettercap

              My understanding is that, with sslstrip and ettercap for example, one could use ARP poisoning to negate the effects of https in some cases.

  6. TheOreganoRouter.onion

    That just goes to show you that you can’t trust the cheap Chinese junk sold to people in the United States who keep buying this crap.

    1. Joel

      How so? As a reader of this blog you see tons of American and European companies that were hacked too.

      Does that “prove” we can’t trust them as we’ll?

  7. k@r

    My firm found this vulnerability and the CVE was pending notification of the vendor as of early January. Our CVE should be issued shortly. Additionally, we have a paper out soon detailing systemic problems with this vendor.

    The forum user should have gone through the CVE process.

    1. Don Kennedy

      The Poster who found this issue, decided to go public with it.

      Which left little choice, on how to deal with mitigating what could be done.

      Not everyone follows bug reporting protocol. While I do agree that they should.

      Don

    2. Don Kennedy

      Additionally. While there has now been a firmware fix released that covers the unauthorized camera access. There is a secondary issue that can cause your camera to be frozen “At Will” by continued attempts of trying to logon without any User Id and Password.

      Because of this. Each camera owner needs to decide IF they wish to install this new fix. Because one cannot downgrade firmware, afterwards.

      More details here:

      http://foscam.us/forum/mjpeg-54-firmware-bug-user-logon-bypass-t8442.html#p40535

      Don

  8. mechBgon

    On a practical note, if an IP camera is accessible from the outside world, then I suggest segregating the camera from your computers. The typical home/SOHO user has all their devices (cameras and computers) connected to the same router, or something that serves its role, like an Internet modem/gateway box. If you pick up an additional router, plug its WAN/Internet port into your existing router/gateway/modem, and then connect your computers to your new router, its firewall would shield your computers from your IP camera if it were subverted.

    For the visual folks, here’s a fuzzy snip from my PDF on the subject. In this picture, the left side is someone out on the Internet, and the right side is their small-business network. The Internet gateway in this example contains a router and firewall that would forward outside requests to the camera using port-forwarding rules, and the “business firewall” is in the position of the additional router that I suggested above.

    http://mechbgon.com/cameras.jpg

  9. ltjd

    So if you have a “hackable” 8 channel home security camera system… would it be wrong to dedicate one channel that’s a continuous video loop of me at the kitchen table cleaning my M-4 with a few loaded handguns nearby?

    Just sayin…

  10. Chris Thomas

    So much for IPv6. Good ol’ NAT. I heard of a fridge that’s a spam relay.

  11. IA Eng

    Sheeet thats not all. SANS reported a while ago about vacuums and other devices with “spam chips”, several months ago.

    With your article, and then this little trinket below… whomever controls all these items during a massive cyber attck involving all of this, wins !

    24. January 17, Softpedia – (International) At least one smart refrigerator used in massive cyberattack. Researchers at Proofpoint analyzed a large-scale spam campaign that involved over 750,000 malicious emails and found that more than 100,000 Internet-connected consumer electronic devices were used in the attack, including multimedia centers, smart TVs, routers, and at least one smart refrigerator. Source: http://news.softpedia.com/news/At-Least-One-Smart-Refrigerator-Used-in-Massive-Cyberattack-417878.shtml

  12. Wilson Dizard

    Checked https://www.kickstarter.com/projects/tapatucamteam/tapatucam

    Nota bene, re Web cam hacks: here in DC, my home town & south of the Mason-Dixon line (like Brian Krebs, who lives in Northern Virginia, slightly farther south), we are subject to a regional cultural rule.

    Namely, to avoid uttering the following words if at all possible, or even thinking them:

    “I don’t think we can fix it with duct tape.”

    Stephen Colbert (a DC native raised in South Carolina) offered the duct tape fix to the Web cam hack several weeks ago; for several easy payments of $XX.99, plus shipping & handling.

    This notebook computer doesn’t have a webcam. There’s a new webcam in its blister package, about seven feet away, where it has been for at least five months.

    What is the compelling reason to install this web cam? If there was one, certainly it would have arisen over the past 150 days. I’ll keep it around, though.

  13. JVH

    Who would leave an IP address on a camera exposed directly to an Internet connection? We run hundreds of cameras within my organization and not a single one is accessible unless you make a VPN connection to the internal network.

Comments are closed.