Earlier this month, a creepy dude hacked into a Houston family’s Web-connected baby monitor to call a 2-year-old a “little slut.” The family was using a “high quality video and audio” camera made by China-based Foscam.
In April and July, two separate groups of researchers revealed that these Internet-connected cameras have security flaws that make them easily hackable. When the Houston dad, Marc Gilbert, checked the settings for his account, he discovered that the toddler-hating invader took advantage of an exploit pointed out by the researchers to add his own username – “Root” – and password to the device so that he could log in to the baby monitor at will.
Unfortunately, when you power off the camera, it wipes its log of IP addresses; when Gilbert disconnected his camera to get rid of the intruder, he also eliminated the evidence that police might have used to find him.
Foscam released a firmware update in July that fixed the problem, announcing it in a blog post that did not emphasize the security risk. “I had no idea about the firmware update,” says Gilbert. He is not the only one.
Researchers Sergey Shekyan of Shape Security and Artem Harutyunyan from Qualys did a scan of Internet-connected Foscam cameras this week. Of the nearly 46,000 Foscams that came up in the scan, over 40,000 have not updated their systems to fix the vulnerability.
Shekyan – who was one of the researchers who initially identified the Foscam vulnerabilities – bought his cameras directly from Foscam. He got an e-mail this month from the company telling him he should update his firmware to protect against hackers. The e-mail – which is posted online as well – begins, “Due to recent exposure of Foscam cameras in the media, we felt it necessary to offer instructions on how to secure your camera from outside intruders.” Ideally, the company would have sent the e-mail before being shamed in the press because an outside intruder took advantage of the flaw.
But Gilbert still hasn’t gotten an e-mail because he bought through a reseller on Amazon, so Foscam doesn’t have his address. BBC News reports that at least one U.K. reseller is contacting customers about the security risk; hopefully others follow suit.
Better yet, Foscam would put an update notice on its Web interface so that anyone who signs in to look at their camera streams would see it. Shekyan says that Foscam’s system is such that he could actually “update the web interface of vulnerable cameras to let owners know about the new firmware” they should install. Though good-intentioned, that would be seen as illegal hacking if done by someone not employed by Foscam.
Foscam has not responded to media requests so it’s unclear why they haven’t done it themselves.