Please select To the mobile version | Continue to access the desktop computer version

Foscam BBS

Search
View: 1320|Reply: 21

F-Secure reports multiple critical security vulnerabilities in Foscam cameras

[Copy link]

2

Threads

3

Posts

14

Credits

Newbie

Rank: 1

Credits
14
Post time 2017-06-08 11:32:51 | Show all posts |Read mode
F-Secure is reporting 18 vulnerabilities in multiple Foscam cameras with the latest firmware (also older firmware), many of these are critical, allowing unauthorized remote access and even allowing completely taking over a camera remotely (i.e. root access), flashing unauthorized firmware and using it to attack other devices on the network.  They are also trivial to perform, requiring no hacking skills at all to do and changing the default password on the camera won't prevent unauthorized access.

This has been picked up by multiple news sites:
https://arstechnica.com/security ... nd-remote-controls/
https://thestack.com/security/20 ... -in-foscam-cameras/
https://www.cso.com.au/article/6 ... won-t-stop-hackers/
https://www.theregister.co.uk/20 ... ough_multiple_oems/

The web page I found for Foscam for security claims there are "no known vulnerabilities" as of June 3, 2017 and that any security issues are quickly fixed, but F-Secure claims they notified Foscam about the security vulnerabilities several months ago and the issues were never fixed.   

How does Foscam respond to these claims?  When will Foscam release fixes for this and report which cameras are vulnerable?

Reply

Use magic Report

0

Threads

9

Posts

57

Credits

Member

Rank: 2

Credits
57
Post time 2017-06-14 05:03:05 | Show all posts
Edited by chance at 2017-06-14 06:37

"Foscam always attached great importance to our product security and we have a special department who are dedicated to improve our product security."

I'm sure you have...

Exagerating or not, what you would expect from a company that use hard coded credencials on a FW? No one considers that giving great importance to products security at all.
Do you still consider this exagerating?

http://images.news.f-secure.com/ ... -cameras_report.pdf
Against this there's not much to argue about, Foscam R&D department knowledge on security is less than zero.
How about to release the IP Camera GPL so users can analyse/compile the code by their own?
Why Foscam never answer to F-Secure email reporting security flaws on their products after several months? But only after a public security flaws disclosure?

I'm still waiting for a fix (1 year now) to iOS App and reply to all my ignored emails after Foscam confirmed there's an issue on the software, but simply still ignoring it and stop replying emails, what company ignored their clients? Only FOSCAM...
I can supply proof of all my statements and send emails and reply's exchanged with Tecnical Department if needed. Interested?
Just wait for new Foscam FW's to came out to see F-Secure once again state the Camera's are still unsecure and several security flaws still present, if not new...








Reply Support 2 Not support 0

Use magic Report

0

Threads

9

Posts

57

Credits

Member

Rank: 2

Credits
57
Post time 2017-06-14 11:08:33 | Show all posts
Edited by chance at 2017-06-14 13:13

Yeah it's quite easier to delete users posts telling truth about Foscam incompetence than solve the problems on your own products, let me know when you decide to solve the problem with iOS FOSCAM App after 1 year of the reported issues and duzens of ignored emails from FOSCAM support.
Reply Support 0 Not support 1

Use magic Report

0

Threads

1

Posts

8

Credits

Newbie

Rank: 1

Credits
8
Post time 2017-06-12 06:24:38 | Show all posts
Up ! Hello, this is a major issue, no reaction from Foscam after 4 days, this is unbelievable considering how dangerous the vulnerabilities are.
Should we disconnect the cams ?
Reply Support Not support

Use magic Report

1

Threads

5

Posts

27

Credits

Newbie

Rank: 1

Credits
27
Post time 2017-06-13 11:26:48 | Show all posts
I emailed tech@foscam.com and their response is that they are looking into this.   The responder did say they were going to release new software within this week, BUT only for certain models.     I wish FOSCAM would address this on their main webpage to alleviate some of the fear some of these reports are generating.   I own several foscam cameras and although I am pretty diligent about security, some of the findings are just bad/sloppy engineering.   Worse is the fact that some of these cameras have not seen any firmware updates since like 2015.    In a world where new exploits are being found daily, thats just plain crazy.    Foscam can choose to ignore old cameras and security reports such as these, but it WILL be their downfall.    I for one cannot endorse them nor will I recommend them to anyone anymore.  They were nice/cheap cameras when security was just an after thought, but now with Identity theft being such a big deal, I can't see how I can ignore this and worse try to encourage others to use these cameras.  
oh well, good luck!



Reply Support Not support

Use magic Report

0

Threads

9

Posts

57

Credits

Member

Rank: 2

Credits
57
Post time 2017-06-13 15:15:47 | Show all posts
Edited by chance at 2017-06-14 05:20

Amcrest (US) is a FOSCAM rebranded name, they split after several issues relating to distribution, lack of security and quality control (no wonder), so the HW is exactly the same, each Amcrest camera has a matching Foscam model, so users can use Amcrest FW on Foscam cameras, those are not affected and are secure.

Amcrest letter:

We wanted to reach out as soon as possible to inform you of  recently discovered security vulnerabilities affecting "Foscam" branded cameras manufactured by China-based Shenzhen Foscam. Foscam US has been notified of 18 security vulnerabilities that exist on cameras manufactured by Shenzhen Foscam which leave users vulnerable to hacks which allow attackers to remotely take-over cameras, live stream, download stored files and even compromise other devices located on the local network.
Source: F-Secure Report available here:
http://images.news.f-secure.com/Web/FSecure/%7B43df9e0d-20a8-404a-86d0-70dcca00b6e5%7D_vulnerabilities-in-foscam-IP-cameras_report.pdf

The vulnerabilities affect "Foscam" branded cameras and cameras manufactured by China-based Shenzhen Foscam only. The vulnerabilities DO NOT affect Amcrest or FDT branded cameras which are produced by a separate factory and R&D team led by US-based Amcrest (formerly Foscam US and now Amcrest), which is totally unrelated to China-based Shenzhen Foscam.

Amcrest split off from China-based Shenzhen Foscam in 2015 / 2016 due to issues relating to distribution, lack of security and quality control and thus Amcrest and FDT cameras are totally unaffected by these latest security vulnerabilities.

The models affected include the following:

Foscam R2

Foscam C1

Foscam C1 Lite

Foscam C2

Foscam FI9800

Foscam FI9826P

Foscam FI9828P

Foscam FI9851P

Foscam FI9853EP

Foscam FI9901EP

Foscam FI9903P

Foscam FI9928P

Source CVE Details report available here:

https://www.cvedetails.com/cve/CVE-2017-7648/

We recommend disconnecting your current Foscam branded cameras from the internet until these issues have been resolved. If you have any questions, please reach out to China-based Shenzhen Foscam directly.


Shenzhen Foscam currently have not responded and have not yet provided any patch or fix to address the vulnerabilities.(Source: Arstechnica)

More details available here:

https://arstechnica.com/security/2017/06/internet-cameras-expose-private-video-feeds-and-remote-controls/

http://www.tomsguide.com/us/foscam-camera-flaws,news-25254.html






Reply Support Not support

Use magic Report

0

Threads

306

Posts

896

Credits

Moderator

Rank: 7Rank: 7Rank: 7

Credits
896
Post time 2017-06-13 18:46:01 | Show all posts
Hi All,

With regard to the bugs mentioned in the F-secure reports, Foscam attributes great importance to it and arranged our Research and Development Department to analyze each of the items these days.

We find out some items mentioned in the report do not exist, and our cameras have mechanism to change default password mandatorily that avoids some mentioned case to happen.  For the existing bugs, please be patient while we are developing the new firmware now. Suggest you keep an eye on our website, we'll release the new firmware for our top models within this week. Firmware for other models will also be released in the following days.

Some competitors have abused the report to exaggerate the situation, and spread panic among our faithful user in order to take advantage.  Each software may have bugs and what we do is keep improving the security of Foscam cameras. Foscam always attached great importance to our product security and we have a special department who are dedicated to improve our product security by having updated firmware in time. Thank you.
Reply Support Not support

Use magic Report

1

Threads

5

Posts

27

Credits

Newbie

Rank: 1

Credits
27
Post time 2017-06-14 11:38:43 | Show all posts
This got posted today in their downloads page:

http://www.foscam.com/downloads/firmware_details.html?id=101

I have no idea if this is what they meant to resolve these recent security issues or NOT.   The release notes says "Fixed some bugs." ,  which doesn't really give me the nice fussies.


Again, FOSCAM could alleviate a lot of this craziness/panic mode by addressing their customers instead of just ignoring them and or choosing to ignore the security company who found these exploits.

oh well, good luck!

Reply Support Not support

Use magic Report

0

Threads

9

Posts

57

Credits

Member

Rank: 2

Credits
57
Post time 2017-06-14 12:06:03 | Show all posts
Edited by chance at 2017-06-14 14:36

This is the information on the download ZIP FW 2.x.1.48 file:

- Fixed some bugs.

This is the information on FOSCAM App about the same FW file 2.x.1.48:

- Fix security issues.
- Support Firefox version 53 and above.
- Support Edge browser.

So each changelog says something different to the same FW version, very wise and informative. :-)


Btw, the FW still has at least 2 security flaws available from the previous FW version, like expected... If FOSCAM is interested I can proof it with the POC file.
I will check about the others...

Reply Support Not support

Use magic Report

1

Threads

5

Posts

43

Credits

Newbie

Rank: 1

Credits
43
Post time 2017-06-14 13:21:40 | Show all posts
cool thanks
Reply Support Not support

Use magic Report

You have to log in before you can reply Login | Register

Points Rules

Quick Reply To Top Return to the list