A widely used brand of wireless IP cameras contains several security weaknesses that could enable attackers to access the devices and potentially alter their firmware, two researchers from the security firm Qualys recently announced at the Hack in the Box conference in Amsterdam. Many cameras sold under the Foscam brand in the U.S. contain a software security vulnerability and several other weaknesses that could enable malicious activity, according to presenters Sergey Shekyan and Artem Harutyunyan.
Many Foscam cameras are exposed to the internet, making it possible to access them remotely. An attacker might do so by running a query on the Shodan search engine – which, according to the researchers, turns up more than 100,000 results – or by scanning the *.myfoscam.org name space, on which most internet-connected Foscam cameras are automatically assigned a hostname, Network World reported.
Once found, approximately 20 percent of connected cameras allow users to log in with the default “admin” user name and no password, according to Network World. Researchers noted that attackers could also use a brute-force attack or exploit a directory traversal vulnerability that allows them to see a snapshot of the device’s memory. This memory dump typically contains administrator credentials in plain text, as well as other sensitive information such as Wi-Fi credentials and details about connected devices.
Carrying out an attack
With this information, remote attackers can access the device and insert their own firmware, which might be used to create a hidden backdoor administrator account, run a proxy server or load malicious code that would compromise the administrator’s browser. Although the cameras have only 16MB of RAM, they run a version of Linux, meaning that they can run arbitrary software such as a botnet client, proxy or scanner, Network World reported.
The devices are also vulnerable to denial-of-service attacks because they can only handle around 80 HTTP connections at a time. This weakness could be exploited to shut down the camera during a robbery, researchers noted.
Foscam has released a patch for the path traversal vulnerability, but, according to the researchers, 99 percent of internet-connected cameras have not installed it, leaving them exposed. To prevent these attacks, organizations should remove their cameras from the internet or place them behind a firewall to restrict access.
Device manufacturers can avoid comparable software security incidents by using static analysis software to catch bugs before they are released. With source code analysis tools, it’s possible to improve security during the development process and avoid the fallout associated with a vulnerability announcement.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.