Have a Foscam (or Foscam made) IP Camera in your house? Smile, your on candid camera!

Toggle sidebar Toggle sidebar
Elixer

Elixer

Lifer
May 7, 2002
10,371
762
126
Gotta love a IP camera that has a hardcoded password of "" (empty) so, basically, anyone can view/stop or even upload your camera's feed or do a ton of other things to it, and you would have no clue about this happening.

Bots are now scanning networks for these cameras to get videos...

IP cameras manufactured by Chinese vendor Fosscam(sic) are riddled with security flaws that allow an attacker to take over the device and penetrate your network.
...
1. Non-random default credentials for web user interface account
2. FTP server account uses empty password
3. FTP server account has a hard-coded password
4. Configuration back-up file is protected by hard-coded credentials
5. Hidden hard-coded credentials for web user interface
6. Hidden Telnet functionality
7. Remote command injection in User Add
8. Remote command injection in /mnt/mtd/boot.sh via ProductConfig.xml
9. Unauthenticated Remote Command Injection via Anonymous ONVIF SetDNS
10. Incorrect permission assignment for startup script: /mnt/mtd/boot.sh
11. Incorrect permission assignment for directory: /mnt/mtd/app
12. Administrator Credential Disclosure via Anonymous ONVIF GetStreamUri
13. Unauthenticated Reboot via Anonymous ONVIF SystemReboot
14. Leaky firewall feature
15. Missing restriction of multiple login attempts
16. Denial of service of the RTSP video feed
17. Unauthenticated Persistent XSS via Anonymous ONVIF SetHostname
18. Buffer overflow in ONVIF SetDNS

...

"For example, an attacker can view the video feed, control the camera operation, and upload and download files from the built-in FTP server," F-Secure says. " They can stop or freeze the video feed, and use the compromised device for further actions such as DDoS or other malicious activity."
Click to expand...

Here are the list of cameras that Foscam made but sold under these brands...
Chacon
Thomson
7links
Opticam
Netis
Turbox
Novodio
Ambientcam
Nexxt
Technaxx
Qcam
Ivue
Ebode
Sab
Click to expand...
https://www.bleepingcomputer.com/ne...s-make-fosscam-ip-cameras-absolutely-useless/
 
Last edited:
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,239
13,614
126
www.anyf.ca
You should never ever ever ever put a device like this directly on the internet anyway. It should stay on the LAN and don't forward ports from the internet to it. I'd even go as far as putting it on a separate vlan that has pretty much restricted access, the DVR needs to be able to access the cameras, but that's it, the cameras themselves don't need to be accessible from anywhere else nor do they need to access anything else (ex: calling home). You can maybe setup a rule so you can access the cameras from your main workstation if you need to configure them (set pan tilt zoom etc) but that's it.

What's scary is a lot of people don't seem to follow this basic advice as there are a lot of "public" web cams out there that were not meant to be public.
 
  • Like
Reactions: PliotronX
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,239
13,614
126
www.anyf.ca
Yeah lot of fakes out there, which sucks, because if you want to buy the real thing you really don't know what you're going to get, if you buy from Amazon, Ebay etc.

Actually it looks like you can buy direct from Foscam. So that's probably the best route to go. They even have a Canada store. Been pondering setting up some cameras myself, I want it to be fully in house with a DVR, so need to do more research but looks like Foscam has some POE ethernet versions, that's good. Cheaper than Axis.
 
Elixer

Elixer

Lifer
May 7, 2002
10,371
762
126
RossMAN said:
I'm glad this doesn't affect http://www.foscam.com models.

;)
Click to expand...
Heh, didn't notice Fosscam (sic).

https://arstechnica.com/security/20...pose-private-video-feeds-and-remote-controls/

The researchers went on to say that they notified Foscam representatives of the vulnerabilities several months ago and that, to date, the manufacturer hasn't fixed any of them. With no security updates, F-Secure declined to release proof-of-concept exploits. Besides the Foscam and Opticom brands, F-Secure said it was aware of 14 other brands used to market Foscam-made devices. They include:
Click to expand...

So, in this case, it still is Foscam made devices, which are all made in China...
Here is the pdf of the report: http://images.news.f-secure.com/Web...lnerabilities-in-foscam-IP-cameras_report.pdf

Don't forget that if UPNP is on, on your router, the camera can automatically open up ports to the outside world.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,239
13,614
126
www.anyf.ca
Oh yeah upnp is a trap for young players. Always turn that off. I'll be honest and say I never even knew that was a thing till maybe a few years ago when I read on it, that is a scary stupid "feature". Thankfully, it's off be default in pfsense.
 
boomerang

boomerang

Lifer
Jun 19, 2000
18,883
641
126
Murloc said:
many people don't even bother setting up a password even if they can, e.g. http://www.insecam.org/en/view/364689/
Click to expand...
Anyone that actually has or had a Foscam knows that you must set up a password in the very beginning of the process. You are blocked from going further until you do.

I'm not defending Foscam. I had two and they both had what I term to be premature failures. But there is truth and there is hype.
 
Linflas

Linflas

Lifer
Jan 30, 2001
15,395
78
91
boomerang said:
Anyone that actually has or had a Foscam knows that you must set up a password in the very beginning of the process. You are blocked from going further until you do.

I'm not defending Foscam. I had two and they both had what I term to be premature failures. But there is truth and there is hype.
Click to expand...
Hype gets a lot more clicks than truth.
 
clamum

clamum

Lifer
Feb 13, 2003
26,256
405
126
boomerang said:
Anyone that actually has or had a Foscam knows that you must set up a password in the very beginning of the process. You are blocked from going further until you do.

I'm not defending Foscam. I had two and they both had what I term to be premature failures. But there is truth and there is hype.
Click to expand...

I recently got an Amcrest IP camera and it had a default password that I had to change before going further in setup. I figured it was a pretty standard thing for these but I'm no expert.
 
SKORPI0

SKORPI0

Lifer
Jan 18, 2000
18,471
2,411
136
Found this at a nearby thrift shop and paid $4.99+tax. Hopefully I'll be able to figure out the Wifi part. Item had no user manual and software.
Works great to view the video feed with a android device.

1466996583819543916.jpg

https://www.amazon.com/Wanscam-Wireless-Camera-Vision-Webcam/dp/B00LTDR9QA
 
Last edited:
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,239
13,614
126
www.anyf.ca
Assuming you put this on a closed network where the only ACL is to allow the DVR to connect to the camera, even if you have one that's setup unsecurely or has a vulnerability you should be safe right?

Essentially that's all you really need for a camera setup, the DVR needs to be able to connect to it to get the stream, but the camera does not need to connect to anything, and it does not need to be connected to from anywhere else. The DVR connects to it, gathers and records, and then displays to you, all the cameras. Unless there's something I might be missing? Are these cloud based so they require to be on the internet?
 
Elixer

Elixer

Lifer
May 7, 2002
10,371
762
126
AFAIK, most of them are cloud based, a few of the better ones have SD/micro SD cards for storage.
Unfortunately, it seems that the norm is to open ports to the net, outside your LAN, so you can DVR to their could service.
Then people DDoS the camera, and you won't get any pics/video.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom