Authentication bypass bug exposes Foscam webcams to unauthorized access

Remote users can access the video stream without a username and password

The software used by many wireless IP cameras manufactured by Foscam Digital Technologies have a vulnerability that allows remote users to access their video streams and take snapshots without proper authentication.

The issue was reported on the Foscam technical support forum this week by the owner of a Foscam FI8905W Wireless IP Camera that's built for outdoor environments.

"I discovered fairly early in my testing, that the user could just press OK in the dialogue window without filling in a user or password and they would be taken to the image," a user with the nickname SENWiEco said Monday. The camera was running the latest firmware version at the time -- 11.35.2.54, he said.

A regular forum user and software developer named Don Kennedy who uses the nickname TheUberOverLord subsequently investigated the issue and concluded that other indoor and outdoor camera models from Foscam's MJPEG series have the same issue. Kennedy tracked down the problem to the software's user management system.

Foscam MJPEG cameras support as many as eight separate user accounts with different privileges: Administrator, Operator and Visitor. The user administration interface has eight user ID fields, but only one of them is configured by default with user name "admin" and privilege Administrator. The rest are blanked out and have the Visitor privilege assigned by default.

According to Kennedy, if any of the eight user slots is left empty -- with no username and password configured -- it's possible to access the camera by simply hitting OK on the authentication prompt. This will give the remote user Visitor privileges and allow them to access video streams with or without audio, take snapshots and execute any CGI commands available to the Visitor access level.

A workaround is to manually configure user names and passwords for all eight user ID fields, Kennedy said. However, this has the downside of exposing the camera to denial-of-service attacks.

According to Kennedy, there's a second bug that causes the camera to freeze after a certain number of failed attempts to access the camera without a user name and password. In this happens, the camera owner might need to restart the camera by powering it down and back up, he said.

This could be inconvenient, especially since many of these cameras are set up so they can be monitored remotely, so their owners might not immediately have physical access to them.

The issue appears to be restricted to system firmware version .54 for the MJPEG Indoor and Outdoor camera models, Kennedy said Monday on the forum. "The following MJPEG based camera models have a system firmware version of .54 currently released: FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W and FI8919W," he said at the time.

However, it appears that Foscam released firmware version .55 for some of those camera models Thursday. The firmware update is available for download from the company's website and its changelog file specifies that it fixes a bug allowing the execution of CGI commands without authentication. The update also prevents using blank spaces in the user name field and adds support for special characters in passwords.

In an update on the Foscam forum, Kennedy confirmed that version .55 of the firmware fixes the unauthorized access vulnerability. However it does not resolve the camera freeze issue, he said.

This means an attacker who repeatedly tries to access Internet-facing cameras running the new .55 firmware version with a blank user name and password might end up temporarily disabling those cameras.

Foscam did not immediately respond to an inquiry seeking clarifications about which affected models haven't received the .55 firmware update and the denial-of-service issue.

A security notice on the company's U.S. website that appears to be updated periodically currently reads: "Foscam is fully committed to maintaining the safety and integrity of our user experience and will take all action reasonably necessary to ensure the privacy and security of our cameras. As soon as a security vulnerability is revealed Foscam endeavors to immediately release a firmware update to fix the issue. As of January 19, 2014, there are no known vulnerabilities with any of our cameras once updated with the latest firmware as outlined below. All cameras currently sold by Foscam.us are upgraded with the latest firmware."

In the same message the company recommends changing the default user name and password of the camera, changing the default port for remote access and regularly checking the camera's logs, which can reveal unauthorized access attempts.

In April, security researchers from Qualys reported several security weaknesses in Foscam cameras and said that using the Shodan search engine they were able to find more than 100,000 cameras connected to the Internet. They estimated at the time that two out of every 10 of those cameras allow users to log in with the default "admin" user and no password.

Join the Good Gear Guide newsletter!

Error: Please check your email address.

Tags patchesintrusionFoscam Digital TechnologiessecurityAccess control and authenticationExploits / vulnerabilitiesprivacyqualys

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?