![]() We did not replicate this research as we have no reason to doubt the trend has changed. Shekyan and Harutyunyan previously showed 2 out of 10 cameras have default credentials in the wild. The cameras ship with a default login of username admin and an empty password. It appears the lockout remains in effect until reboot. The number of login attempts before locking out an IP address is 10. We have made the following observations: 1. Previous attacks have been documented in CVE, CVE, and CVE Password Attacks The Foscam cameras are subject to password attacks. Attack Vectors 3.1 Prior Vulnerabilities Now that an attacker has done the appropriate reconnaissance, it is time for him to attack. Please see section 3.3 for more detailsĦ 3. ![]() This may bypass the 401 Unauthorized message and present an attacker with the same information as before. Make an authenticated request to the get_status.cgi page using an empty username in an HTTP digest access authentication. Additionally, as of firmware, the web server returned in the header is Boa/ instead of Netwave IP Camera. Given that an attacker can t access get_status.cgi, but can access vars.htm, the attacker can assume the camera is running a newer firmware. Unfortunately, this page returns only the id and alias. Make an unauthenticated request to the vars.htm page. It is still possible, however, to fingerprint using one of two methods: 1. Unauthenticated requests to this page are met by a 401 Unauthorized response. As of firmware version and web UI version, it appears Foscam has patched this hole. office, attic, etc.) given to the camera by the end user. App_ver is the web user interface version. ID is the MAC address of the wired network adapter. Of particular concern are id, sys_ver, app_ver, and alias. This page provides a wealth of information to an attacker. As shown by Shekyan and Harutyunyan 3, the Foscam cameras have an unauthenticated page, get_status.cgi, available. Now the attacker will want to fingerprint the cameras to determine which are exploitable. 2 Either y.z or y.z (fixed camera), or y.z or y.z (pan/tilt camera) according toĥ 2.2 The Foscam Fingerprint At this point an attacker has a starting point of possible accessible cameras. This could indicate end users who know to patch also know better than to hook up an IP camera to the Internet, or it could indicate that no one patches their cameras. Summary Count Total DDNS Space 6,760,000 DNS Entries with a Valid IP 404,686 IPs Reachable on Port 80 41,893 Cameras Fingerprinted 15,209 Cameras Running 11.x.y.z Firmware 2 14,826 Fingerprinted Cameras Running Latest 0 11.x.y.z Firmware Cameras Vulnerable to DNS Poisoning > 15,209 Cameras Vulnerable to CVE unknown We found exactly zero cameras in the wild which run the latest firmware offered by Foscam. ![]() Over the course of several weeks we walked the DDNS space with our custom software and came up with some interesting results. With this scheme it is conceivable for Foscam to have 6,760,000 cameras (26 * 26 * 10,000) Results from Live Scan Given the above, it is possible to walk the entire DNS range to learn the IP addresses of all cameras which have communicated with the Foscam DDNS servers. The names follow a rigid naming scheme of the form, where XX are alphabetic characters and YYYY is a 4 digit number ranging from 0000 to For example, the first camera off the assembly line presumably came with a domain name of. Foscam provides their customers a value-added service with a dynamic domain name system (DDNS) for its cameras. Scanning tools exist, such as nmap, which attempt to make a determination of a device using a built-in database of fingerprints. would involve scanning a large portion of IP space and hoping an endpoint device replies with a response that distinguishes the device as a unique type. Finding the Cameras 2.1 Scanning the Address Space Normally network scanning for a particular device, operating system, etc. This research expands upon their work and reports two new attack methodsĤ 2. Prior work has been done by Shekyan and Harutyunyan of Qualys 1. Foscam s product line includes indoor and outdoor pan/tilt cameras. ![]() One of the leading providers of cameras in this space is Shenzhen Foscam Intelligent Technology Corporation, or simply Foscam. Introduction Over the last several years IP security cameras have gained wide acceptance for business and home use. Introduction Finding the Cameras Scanning the Address Space Results from Live Scan The Foscam Fingerprint Attack Vectors Prior Vulnerabilities Password Attacks CVE CVE (DDNS Poisoning) Recommendations End User Vendor Timelineģ 1.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |