Header Ads

Home Internet Hard-coded Passwords Make Hacking Foscam 'IP Cameras' Much Easier

Hard-coded Passwords Make Hacking Foscam 'IP Cameras' Much Easier

Thursday, June 08, 2017
Hard-coded Passwords Make Hacking Focasm 'IP Cameras' Much Easier


Well, Security researchers discovered vulnerabilities in tens of thousands of Web-Connected cameras that can not be protected just by changing their default credentials. 

The vulnerability found in two models of IP cameras from Foscam, China-based manufacturer, which allows attackers to take over a camera, watch video feed, and in some cases even gain access to other devices connected to the local network.

 
At Security firm F-Secure, researchers discovered total 18 vulnerabilities in two camera models — one sold under the Foscam C2 and other under Opticam i5 HD brand. Those are still unpatched, but the company was informed several months ago.

In addition to the Foscam and Opticam brands, F-Sikder also said that weaknesses are present in 14 other brands, which include Chakon, 7 Lynx, Netsees, Turbax, Thomson, Novodio, Nextx, AmbientCam, Texx, QCom, Ivue, Ebode and all.

Here are the list of flaws discovered in the IP cameras:

  • Insecure default credentials
  • Hard-coded credentials
  • Hidden and undocumented Telnet functionality
  • Remote Command Injections
  • Incorrect permissions assigned to programming scripts
  • Firewall leaking details about the validity of credentials
  • Persistent cross-site scripting
  • Stack-based Buffer overflow attack

Changing The Default Credentials: It Won't Help You



affected devices

Generally, users are always advised to change default credentials on their smart devices, but in this case, Foscam is using hard-coded credentials in cameras, so the attacker can bypass passwords even if the user has Set a unique Password.
"Credentials that have been hard-coded by the manufacturer cannot be changed by the user. If the password is discovered and published on the internet (which often happens) attackers can gain access to the device. And as all devices have the same password, malware attacks such as worms can easily spread between devices," reads a report [PDF] released Wednesday by F-Secure.


These issues can allow an attacker to have a wide range of attacks, including unauthorized access to the camera, access to private video, display of remote command injection attacks, use compromised IP cameras for DDOS or other malicious activities. And compromising with other devices in the same network .



The security firm told that Foscam was informed about the vulnerability several months ago, but received no response. Since the security camera manufacturer has not fixed any vulnerability, F-Secure has not released proof of concept (POC) for them.

So, what do you think about this? Comment your thoughts below.
Tags :

No comments:

Subscribe to: Post Comments ( Atom )
Powered by Blogger.