Bug in Chinese cameras raises fears over 'Internet of Things'

News by Tim Ring

'Dumb devices' offer unpatched vulnerabilties

A security flaw discovered in the webcams, IP surveillance cameras and even baby monitors made by Chinese company Foscam has highlighted the vulnerability of many ‘Internet of Things' devices that are increasingly being connected to corporate networks.

The bug in camera company Foscam's kit was revealed on 23 January by US cyber security expert Brian Krebs, who said it allows anyone with access to the device's internet address to view live and recorded video footage.

Foscam is the same company that hit the headlines last August, when a US couple using one of its cameras to monitor their sleeping two-year-old child discovered it had been hacked when they heard a male voice shouting at the girl through the device.

In the latest incident, Krebs said camera experts, including Don Kennedy, an active member of the Foscam support forum, discovered the bug in devices running version .54 of Foscam's firmware. It enables anyone to access the device's web interface simply by pressing ‘OK' in the dialogue box when prompted for a username and password.

Krebs said Foscam had promised that a firmware update fixing the flaw would be available via its website by 25 January. Meanwhile, Don Kennedy had also posted a workaround.

But the incident has raised renewed doubts over the security of ‘Internet of Things' devices.

Alex Chapman, senior security consultant with UK consultancy Context Information Security, told SCMagazineUK.com that many companies remain unaware of the threat posed by equipment such as camera-based smart TVs, routers and set-top boxes.

“More and more of these devices being connected up to corporate networks and businesses in general is a concern,” Chapman said. “These devices are just as powerful as your computers from four or five years ago and have very similar capability – they are running the same software and the same operating systems as the servers that are in corporate infrastructures.

“But these devices never fall under the same patch management processes as servers or workstations – people see them as dumb devices when they're anything but these days.

“It's been highlighted by this particular exposure, but I think looking at devices like set-top boxes and personal home routing gateways ISPs give out, there's been numerous reports recently around these having intentional back doors in them or just such poor coding practices that they're trivial to exploit and compromise.

“It's about reminding people that these are computing devices that need to fall under the same sorts of scrutiny and configuration and securing these devices as you would a laptop or a desktop.”

According to Krebs, Foscam has confirmed the problem affected its camera models FI8904W, FI8905E, FI8905W, FI8906W, FI8907W, FI8909W, FI8910E, FI8910W, FI8916W, FI8918W and FI8919W.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews