ID: IRCNE2013041817
Date: 2013-04-13
According to "computerworld", thousands of wireless IP cameras connected to the Internet have serious security weaknesses that allow attackers to hijack them and alter their firmware, according to two researchers from security firm Qualys.
The cameras are sold under the Foscam brand in the U.S., but the same devices can be found in Europe and elsewhere with different branding, said Qualys researchers Sergey Shekyan and Artem Harutyunyan, who analyzed the security of the devices and are scheduled to present their findings at the Hack in the Box security conference in Amsterdam on Thursday.
Tutorials provided by the camera vendor contain instructions on how to make the devices accessible from the Internet by setting up port-forwarding rules in routers. Because of this, many such devices are exposed to the Internet and can be attacked remotely, the researchers said.
Finding the cameras is easy and can be done in several ways.
Around two out of every 10 cameras allow users to log in with the default "admin" user name and no password, the researchers said. For the rest that do have user-configured passwords, there are other ways to break in.
One method is to exploit a recently discovered vulnerability in the camera's Web interface that allows remote attackers to obtain a snapshot of the device's memory.
Even though the vendor has patched this vulnerability in the latest firmware, 99% of Foscam cameras on the Internet are still running older firmware versions and are vulnerable, they said.
Another method is to exploit a cross-site request forgery (CSRF) flaw in the interface by tricking the camera administrator to open a specifically crafted link. This can be used to add a secondary administrator account to the camera.
A third method is to perform a brute-force attack in order to guess the password, because the camera has no protection against this and the passwords are limited to 12 characters, the researchers said.
Once an attacker gains access to a camera he can determine its firmware version, download a copy from the Internet, unpack it, add rogue code to it and write it back to the device.
The firmware is based on uClinux, a Linux-based operating system for embedded devices, so technically these cameras are Linux machines connected to the Internet. This means they can run arbitrary software like a botnet client, a proxy or a scanner, the researchers said.
Since the cameras are also connected to the local network, they can be used to identify and remotely attack local devices that wouldn't otherwise be accessible from the Internet, they said.
However, if this is needed, then the cameras should be deployed behind firewalls or intrusion prevention systems with strict rules.
Access to them should only be allowed from a limited number of trusted IP addresses and the maximum number of concurrent connections should be throttled, they said. Isolating the cameras from the local network is also a good idea, in order to prevent them from being abused to attack local devices.
- 3