A bug in the software that powers a broad array of Webcams, IP surveillance cameras and baby monitors made by Chinese camera giant Foscam allows anyone with access to the device’s Internet address to view live and recorded video footage, KrebsOnSecurity has learned.
The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password. Reached via email, the company’s tech support division confirmed that the bug exists in MJPEG cameras running .54 version of the company’s firmware.
Foscam said it expects to ship an updated version of the firmware (Ver. 55) that fixes the bug by Jan. 25. The new firmware will be published on the company’s website. According to Foscam, the problem affects the following models: FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W, and FI8919W. Foscam users can determine if their camera is affected by following the instructions here.
Don Kennedy, a camera enthusiast and active member of the Foscam support forum who helped to diagnose and report the firmware problem, also posted a workaround for the bug until Foscam issues an official fix. Kennedy said the vulnerability comes on the heels of another Foscam flaw that drew widespread media attention in August 2013, in which some creep reportedly used a similar vulnerability to shout obscenities at a sleeping toddler.
This is just the latest in a string of such discoveries. In 2012, researchers revealed that a large number of IP cameras made by TRENDnet were similarly vulnerable to snooping by outsiders. While these types of vulnerabilities require outsiders to know the exact Internet address of vulnerable cameras, specialized search engines like SHODAN can be used to pinpoint devices that may not be indexed by typical search engines.