At GenX Security, we stay up to date on all topics related to security. When we found this article by F-Secure about the vulnerabilities of Chinese made Foscam Cameras, we thought it too important not to share and we provide a link to the full article at the bottom of this post. We are committed to help our clients' homes, streets, and businesses stay secure in the era of The Internet of Things. Check out the research report by F-Secure about Foscam Cameras by clicking here.
The Internet of Things is here. And with it are exciting possibilities, cost savings and efficiencies. But there’s a dark side to this bright new world, and it can be summed up in what we call Hypponen’s Law: If it’s smart, it’s vulnerable.
F-Secure and companies like us are discovering vulnerabilities in internet-connected “things” all the time. And Hypponen’s Law was proved yet again recently with the discovery of multiple vulnerabilities within two IP security cameras made by Chinese manufacturer Foscam. As detailed in our new report, F-Secure has identified 18 different vulnerabilities in the cameras that, if exploited, allow for an attacker to take control of the camera and view and download the video feed.
This is nothing new – we’ve all heard stories about hacker voyeurs spying on unsuspecting victims. But what shouldn’t be forgotten is that this device is not just a camera, it’s also a server. A vulnerable server that gives an attacker a foothold into the rest of the network, as F-Secure’s Janne Kauhanen explains in this video.
If this device happens to be in a corporate network and an attacker gains access to the network, the attacker could infect it with malware that would grant the attacker access to the rest of the network and its resources.
NETWORKS IN FLUX
The network perimeter is dissolving, and has been for years. With cloudification, consumerization, and a mobile work force, devices, assets and data that used to be inside are now outside, and what was out is now in. The Internet of Things further erases this network perimeter, with smart “things” extending the network far beyond workstations, laptops, smartphones or tablets.
Kauhanen put it this way: “IoT brings more devices into your networks that you don’t think of as network devices. This leads to a shadow IT situation where companies are not aware of all the devices in their networks. And if you don’t know about something, you can’t protect it.”
Harry Sintonen, our security consultant who found the vulnerabilities, says he’s never seen any device quite so poorly designed. “These vulnerabilities are as bad as it gets,” he said. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”
Many of the vulnerabilities that plague this camera are about neglect. Neglecting to make default passwords random, neglecting to lock out users who attempt too many incorrect passwords, neglecting to restrict access to critical files and directories. And some of them are about capabilities that shouldn’t be there – like hidden Telnet access, or hard-coded credentials that allow an attacker to bypass even a user’s unique password.
But they all point to one thing: manufacturers’ chronic overlook of the issue of security. This problem permeates smart “things” in general. Security is not a selling point, so manufacturers don’t invest in it. This has led to legions of insecure cameras, routers, thermostats, DVRs, water kettles, cars, you name it.
And that’s a problem that doesn’t just affect the owners of these devices. Last autumn, unprecedented DDoS attacks employed armies of insecure, malware-infected IoT devices to bring down large swaths of the internet. If we don’t get IoT security right, the whole internet is at risk.
Finding and infecting these devices is no problem for attackers out there, because manufacturers have made it pretty easy. Says Kauhanen, “If one of these devices is in your network, I guarantee, the bad guys are gonna find it.”
While it may sound like doom and gloom, there’s hope, say F-Secure experts. While regulation is never an ideal solution, it would help to get manufacturers’ attention on security.
“Many industries go through this process, where we realize there security issues to solve,” says Sean Sullivan, Security Advisor at F-Secure. “Cars, for example – eventually we realized seatbelts would be a good idea. IoT is going through the same process. In ten years, these issues will have worked themselves out. The question is, do you want these problems to dull your competitive edge in the meantime?”
Experience the next generation of interactive security services and solutions with GenX Security.
With custom security integration solutions come custom quotes designed for your needs. Please contact us by clicking here or calling 866-598-4369.