Users of Foscam IoT security cameras are being warned to update their camera firmware immediately to avoid falling prey to an exploit chain that could give an attacker total root access to victim devices.

The vulnerability was discovered by researchers at IoT security firm Vdoo as part of “a wide scope security research of leading IoT products in the field of safety and security.”

In brief, a series of three exploits can be used by a remote attacker to gain root access to Foscam security cameras, and all the attacker needs to know is the camera’s IP address.

Foscam has updated its camera firmware to protect against the exploit. All users are advised to update their camera firmware immediately.

How to hack an IP camera

It takes just three exploits to go from knowing a Foscam camera’s IP address (or DNS name, which can also be used) to gaining root control over it.

To start, the attacker uses arbitrary file deletion vulnerability CVE-2018-6830 “to delete certain critical files that will result in authentication bypass when the webService process reloads.”

SEE: Research: Defenses, response plans, and greatest concerns about cybersecurity in an IoT and mobile world (Tech Pro Research)

The attacker then uses stack-based buffer overflow vulnerability CVE-2018-6832 to crash the webService process, which the watchdog daemon will try to reboot. Once webService restarts the file deletion, changes from 6830 will take effect, allowing the attacker to bypass the webService and gain administrative powers.

Finally, CVE-2018-6831, a shell command injection vulnerability, is used to escalate the attacker’s privileges to root level.

For a more detailed technical look at the process refer to Vdoo’s blog post linked above.

Protecting yourself from Foscam hijacking

It’s worth noting that Vdoo said it has no evidence that the vulnerability chain it discovered has been exploited in the wild. That said, now that the knowledge is widely available it’s only a matter of time before attackers start to try it, so it’s essential that Foscam users take the proper steps to protect themselves.

First off, new firmware is available that patches the exploit. Foscam users should update immediately using the link above.

You can determine if your Foscam camera is vulnerable by locating its firmware number, which can be found under Settings > Device Information in the camera’s web GUI. Vdoo also gives a command prompt method for getting the firmware from multiple cameras in its article.

Once you know the firmware of your cameras refer to Table 1 in Vdoo’s article, which lists all affected firmware numbers and model numbers that are vulnerable. If you find your camera and firmware number in that table it’s time to update your firmware.

If affected, a Vdoo camera could be configured to send security recordings to an attacker’s server, be used as a botnet node, or have its information changed to make it inaccessible. With a patch available there’s no good excuse for ending up in one of those situations.

The big takeaways for tech leaders:

  • A series of exploits has been revealed that could give an attacker root access to Foscam security cameras.
  • New firmware that protects against the exploit chain has been released; Foscam users should update immediately.

Also see