The Roman poet Juvenal once asked, "Who watches the watchmen?" The answer, apparently, is hackers.
Foscam wireless security cameras are apparently not much more secure than their private webcam counterparts, and the security devices contain vulnerabilities that allow anyone to look in on supposedly protected footage, two researchers found.
Sergey Shekyan and Artem Harutyunyan of Redwood City, Calif., security firm Qualys presented their findings yesterday (April 11) at the Hack in the Box security conference in Amsterdam.
Wireless security cameras offer a number of benefits over wired models. They essentially allow users to monitor any building, from small homes to large businesses, without the use of costly infrastructure. If you have a few cameras, a decent computer and an Internet connection, you've got a security station.
Unfortunately, that Internet connection could also be the system's undoing. Using a complex search engine called Shodan, hackers can find just about anything with an IP address, including security cameras. After identifying a system, finding a particular camera is pretty simple, as the devices all have a hostname that ends with "myfoscam.org."
Just finding a camera is not enough to hack its video feed, of course, but a fair number of users never think to change the default username or password for their camera. According to a Computerworld security report, 20 percent of all Foscam security cameras still use out-of-the-box settings: "admin" as a username and no password whatsoever.
Since Foscam cameras operate wirelessly, they store some critical information regarding IP addresses and Wi-Fi passwords. Foscam recently patched a security vulnerability that allowed hackers to discern these data. Ninety-nine percent of users remain unprotected, though, as they still have not applied the latest update. [See also: America's Top 10 Least Secure Cities ]
The innovative exploits don't end there. Ingenious hackers have devised methods for setting up secondary administrator accounts, guessing passwords by brute force, attacking a camera's Web interface or rewriting a device's firmware.
Hacking security cameras might seem like a strange use of hackers' time, given that it's neither as inherently profitable as stealing financial information nor as tantalizing as peeking into private users' webcams. Still, spying on the inner workings of corporations or learning a security guard's schedule in preparation for a burglary could prove useful for criminals.
Fixing security vulnerabilities in Foscam cameras is extremely easy. Just changing the default username and password will keep you safe from the most common exploits, and ensuring that you have the latest firmware will take care of the rest. After all, the irony of operating unsecure security cameras would be too much for most experts to bear.