F-Secure researchers have discovered a bucketload of serious security vulnerabilities affecting IP cameras made by Chinese manufacturer Foscam.
The researchers have found the holes in the Opticam i5 HD device and the Foscam C2, but say it’s very likely that they affect other camera models manufactured by the company, as well as other products Foscam manufactures and sells under other brand names: Chacon, Thomson, 7links, Netis, Turbox, Novodio, Ambientcam, Nexxt, Technaxx, Qcam, Ivue, Ebode, Sab, and Opticam.
The security issues include insecure default credentials, hard-coded credentials, hidden Telnet functionality, a flawed firewall, command injection bugs, missing restriction of multiple login attempts, and so on. Exploitation of these flaws could allow total device compromise. Some of the vulnerabilities are very severe and easily exploited by an attacker.
Unfortunately, there’s not much individual users can do about it if the company does not push out a patch. Change the default password on their device will not help much as the attackers can simply use the hard-coded credentials to gain access to it.
Even though notified months ago, Foscam has still not fixed the issues.