Foscam Camera Vulnerabilities

The popular Foscam C1 webcam has multiple vulnerabilities that, if exploited, allow retrieval of information stored in the camera and the running of arbitrary commands in it’s operating system.

A compromise of these wireless cameras is particularly disturbing when you consider they are frequently used as baby monitors and home security. Apps for computer and phone provide ready access to the camera, which captures both 720 HD video and 2-way audio. Data is stored on micro-SD cards, NVR, NAS, local hard drive, or in Foscam’s Cloud, and can also be sent with FTP.

Cisco’s Talos Intelligence Group worked with Foscam to understand and resolve 20 separate issues, and Foscam has released an update to it’s firmware, version V-2.x.2.46, that patches these vulnerabilities in several of their cameras, and can be downloaded from: https://www.foscam.com/downloads/firmware_details.html?id=1

The vulnerabilities and exploits include:

1. Dynamic DNS allows running admin commands in camera with authority, and when a response string is longer than the response buffer, the extra characters can be executed by the camera as code.
2. Un-signed “custom” Firmware Updates can be installed through the web interface, which lacks security and validation of the firmware image’s authenticity and integrity.
3. Private camera information (MAC address, camera name, firmware version) can be obtained using unsecured UDP for device to device communication.
4. If a username is entered that is longer than the receiving buffer in the camera, the extra characters can be executed as code by the camera’s operating system.
5. User accounts in camera can be reset to factory defaults by an un-authenticated user in the web management interface.
6. Even when logging off the web management interface, if the interface submits too long a string to the “logOut” command in the camera, even the limited but authenticated “visitor” account can cause the camera to run the extra characters as program code.
7. These cameras are designed to communicate with a network gateway for remote access to the device through the web management interface using UPnP Discovery and Response. If the web interface sends a UPnP response that has more characters than the receiving buffer is expecting, the extra characters can be run as program code.

It is clear that the coding practices of programmers can introduce multiple vulnerabilities just waiting to be discovered. The companies releasing e-devices often release firmware updates when vulnerabilities are discovered or exploits are reported. When you purchase a new device, be sure to register it, save a bookmark to the Support page for your device, and sign up for email alerts when updates are released.

If you wish to read more about the Foscam Camera Vulnerabilities click here.