FOSCAM cameras compromised. Affected models should be disconnected.

In a press release yesterday afternoon, Foscam officially announced their branded cameras¬†manufactured by China-based Shenzhen Foscam have severe security vulnerabilities “which leave users vulnerable to hacks which allow attackers to remotely take-over cameras, live stream, download stored files and even compromise other devices located on the local network.”

Foscam recommends “disconnecting your current Foscam branded cameras from the internet until these issues have been resolved”

The models affected are:

  • Foscam R2
  • Foscam C1
  • Foscam C1 Lite
  • Foscam C2
  • Foscam FI9800
  • Foscam FI9826P
  • Foscam FI9828P
  • Foscam FI9851P
  • Foscam FI9853EP
  • Foscam FI9901EP
  • Foscam FI9903P
  • Foscam FI9928P

“The vulnerabilities affect “Foscam” branded cameras and cameras manufactured by China-based Shenzhen Foscam only. The vulnerabilities DO NOT affect Amcrest or FDT branded cameras which are produced by a separate factory and R&D team led by US-based Amcrest (formerly Foscam US and now Amcrest), which is totally unrelated to China-based Shenzhen Foscam.”

There is a damning report by FSecure [.pdf download] on the exact vulnerabilities found on the affected Foscam cameras. For starters, there’s hidden Telnet functionality, hidden hard-coded credentials for the web user interface, the FTP server account to the cameras have a hard-coded password, and the configuration back-up file is protected by hard-coded credentials. Any one of those is a very bad thing, but for all of those hard-coded backdoors to be on every camera system and on all models coming from one location? “Suspicious” would be a kind word.

Like I ranted about master passwords and again on master backdoors, hardware and software with embedded hard coded and/or universal master passwords are a big problem. Regardless of the original intent of having a master password and/or backdoor, once that “core” password gets out, that product is now fair game for anyone for any purpose anywhere anytime.

Good thing everyone on the internet is kind and rational. Oh, wait, that was just that one day back in 1989. Nevermind.