Authentication bypass bug exposes Foscam webcams to unauthorized access

Remote users can access the video stream without a username and password

By Lucian Constantin, IDG News Service |  Security

However, it appears that Foscam released firmware version .55 for some of those camera models Thursday. The firmware update is available for download from the company's website and its changelog file specifies that it fixes a bug allowing the execution of CGI commands without authentication. The update also prevents using blank spaces in the user name field and adds support for special characters in passwords.

In an update on the Foscam forum, Kennedy confirmed that version .55 of the firmware fixes the unauthorized access vulnerability. However it does not resolve the camera freeze issue, he said.

This means an attacker who repeatedly tries to access Internet-facing cameras running the new .55 firmware version with a blank user name and password might end up temporarily disabling those cameras.

Foscam did not immediately respond to an inquiry seeking clarifications about which affected models haven't received the .55 firmware update and the denial-of-service issue.

A security notice on the company's U.S. website that appears to be updated periodically currently reads: "Foscam is fully committed to maintaining the safety and integrity of our user experience and will take all action reasonably necessary to ensure the privacy and security of our cameras. As soon as a security vulnerability is revealed Foscam endeavors to immediately release a firmware update to fix the issue. As of January 19, 2014, there are no known vulnerabilities with any of our cameras once updated with the latest firmware as outlined below. All cameras currently sold by Foscam.us are upgraded with the latest firmware."

In the same message the company recommends changing the default user name and password of the camera, changing the default port for remote access and regularly checking the camera's logs, which can reveal unauthorized access attempts.

In April, security researchers from Qualys reported several security weaknesses in Foscam cameras and said that using the Shodan search engine they were able to find more than 100,000 cameras connected to the Internet. They estimated at the time that two out of every 10 of those cameras allow users to log in with the default "admin" user and no password.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question