[UPDATED June 23 with comment from Foscam.]
We've said it before, and we'll say it again: Don't buy cheap Chinese-made security cameras, because their security may just be terrible.
The latest evidence of this comes from Finnish information-security firm F-Secure. Yesterday (June 7), it released a report alleging that Foscam security cameras are full of vulnerabilities that could let them be easily taken over by hackers — and that Foscam doesn't seem to want to do anything about it.
Not only are Foscam-branded cameras at risk, F-Secure notes, but so are cameras made by Foscam but marketed under 13 other brand names, including Opticam, Thomson and Netis.
The flaws are staggeringly bad. They include hard-coded remote-access passwords that cannot be changed by the user; a hard-coded file-transfer password that is blank, i.e., no password; hidden Telnet access; no limit on incorrect login attempts; configuration files that can be changed remotely; remote factory reset; and a firewall that doesn't completely work.
"An attacker can view the video feed, control the camera operation and upload and download files from the built-in FTP server," F-Secure's report said. "They can stop or freeze the video feed, and use the compromised device for further actions such as DDoS or other malicious activity."
F-Secure tested two models: the Foscam C2, a home model sold in the United States for about $80, and the Opticam i5 HD, a home model sold in Finland. All 18 possible vulnerabilities were found on the Opticam, but only some on the Foscam. F-Secure warns that the same flaws probably exist in other models.
"While only two models have been investigated, it is likely that many of these vulnerabilities also exist in other models throughout the company's product line, and in other products Foscam manufactures and sells under other brand names," the report said.
Foscam makes and sells both low-priced home security cameras and commercial security cameras used by businesses and retailers. Using one of the affected cameras could greatly endanger a company's computer network.
"If the device is in a corporate local area network, and the attacker gains access to the network, they can compromise the device and infect it with a persistent remote-access malware," F-Secure warned. "The malware would then allow the attacker unfettered access to the corporate network and the associated resources."
Unfortunately, there's not much that home users can do to protect themselves, other than not connecting the cameras to the internet, which kinds of defeats the purpose of an internet-connected security camera.
Changing the default username and password won't do much, because numerous hidden hard-coded backdoor access credentials will still be on the device.
Foscam's U.S. website has a guide to updating a camera's firmware, and states that all known flaws had been fixed as of June 3. But F-Secure said it had informed Foscam of the flaws several months ago, and added that, "to date no fixes have been issued by the vendor."
Tom's Guide has reached out to Foscam for comment, and we will update this story when we receive a response.
UPDATE: Foscam has responded to our inquiries.
"We've conducted a thorough review and fixed all issues with firmware upgrades where necessary," the company said in an emailed statement. "The 18 items cited in the report were actually so minor in nature as to be virtually non-existent. ... There were therefore zero reports of any security breaches ever occurring in any products used by customers, due to the extremely improbable nature of the exploits."
"Due to miscommunication between F-Secure and the third-party OEM partner they [F-Secure] first contacted about their research, the R&D team at Foscam was not contacted until after a report was released," the statement specified.
A detailed security advisory has been posted on the Foscam Mall website, and notes that customers can "download new firmware from http://www.foscam.com/downloads/index.html or update the firmware using [the] Foscam App."