SKJM Forum
Support => iCam Support => Topic started by: sev on October 30, 2013, 12:09:09 AM
-
DO NOT UPDATE TO THE LATEST FOSCAM 8910W FIRMWARE!!!
Changes made (see below for changelog) them ruined my iCam setup. Nothing else was changed.
Now all I get is "401 Webcam authorization failure" :(
Developer, please help! :( I cannot downgrade foscam firmware to lower version. It sucks I wish I had known this before updating. I updated due to keep up with security vulnerabilities
I have three (3) Foscam 8910W with following settings: http://192.168.1.***:****/video.cgi (MJPEG)
Changelog:
1) Fix the CSRF security vulnerabilities;
2) Encrypt all the username and password with MD5;
3) Update the ActiveX version to 0.0.0.46;
4) Add promption if the disk for video recording is full.
-
Are you able to see a feed from your cameras via your web browser?
-
Yes, perfectly. It's from the iCam end and it happened directly after firmware update. :(
What can I do to help fix this. I love iCam and rely it so much. A lot of people will be having this problem soon once they update
-
Also, one thing to note -- the login style has changed for new firmware.
It used to be http auth prompt (seperate window), but now it's a user/pass in a website style. Here's pic
(http://imgur.com/qyaaUDz)
-
Unfortunately our Foscam cameras are older models and cannot be upgraded to the latest firmware that contains the new MD5 authentication. Is there a way to change the authentication type under the new firmware?
-
No there is no setting. What can we do to help you. The 8910W is one of (if not THE) most popular security camera on amazon. Surely, people will have same problem.
-
So it begins...
http://foscam.us/forum/latest-firmware-54-on-fi8910w-breaks-login-t7585.html
Other people having same problem it seems.
-
OKAY, here is the problem developer!!
(quoted from previous thread here: http://foscam.us/forum/latest-firmware-54-on-fi8910w-breaks-login-t7585.html)
I just confirmed that an app called Foscam Pro works. It specifically calls out a recent addition of MD5 for 89XX cameras so that was it.
Other program developer fixed it, so I am assuming it is a very fixable thing
Foscam pro: https://itunes.apple.com/us/app/foscam-pro-two-way-audio-recording/id509546027?mt=8
MD5 authentication for new 89XX firmware.
-
In order to determine what needs to be changed and test any changes that we make, we would need to connect to a camera with the new firmware.
Foscam's own Live Demo FI8910W seems to still use the old firmware (11.37.2.52 instead of 11.37.2.54) with the standard method of authentication: http://foscam.us/live_demo
If a user has a camera with the new firmware that would be willing to configure it with a temporary login and password and let us connect to it, we can then see what needs to be changed in the iCamSource to support it.
(Just be sure that you have forwarded the appropriate port in your router to allow it to be connected to from outside of your local network.)
Please e-mail the camera's connection information (external IP address and port, login, password) to support@skjm.com and we will see what we can do to support this new firmware.
-
There is a Foscam FI8910W that IS using this version of firmware that is a public Foscam Demo camera:
Please do a search on "Foscam demo" look for com not us results. Then choose the FI8910W demo camera, located there.
Note: Your forum would not allow me to make a forum link to where the Foscam demo camera is located for the
FI8910W demo camera with the latest firmware version of x.x.x.54
IMHO. Third party software developers NEED to be proactive and keep "In Touch" with the camera manufacturers that they create software for. Camera owners should NOT be required to inform third party software suppliers of changes, when those developer can be informed via the manufacturers. This also places a large burden on the support forums for those manufacturers, who are also burdened in answering questions on "Why" this or that third party software, no longer works. Plus, it does NOT help the overall reputation of that third party software. When doing so.
Also, any camera owner who delays installing these latest Foscam firmware releases, due to trying to NOT cause issues with your application(s) and those cameras. Will be exposed to some security issues during that delay. Which is NOT good for those camera owners, who could have their cameras exploited, while waiting for your fixes.
I know this, because I am a moderator, in the Foscam community Forums.
Additionally. In this case, there was little effort made, to locate a Foscam demo camera, that could be used for testing that in fact has this version of firmware. Once again, placing the burden on camera owners, as well as myself, instead.
One can always post in the Foscam community forum to ask if a Foscam Demo camera is presently available for a specific camera model that has a specific version of firmware or contact Foscam using many different methods, to do same vs. Placing this burden on camera owners, first.
The reason "WHY" this upsets me as it does. Is because myself and others, in the Foscam community forum, will be "Stuck" answering camera owners questions about this issue, until you resolve this issue. Which could be many days or weeks before all versions of your application are changed and published. Even afterwards, it may require those camera owners be informed by others, including myself. That there is NOW a new version of your application, that is available, that fixes, this issue.
Please also note. This new Foscam firmware release, covers virtually "ALL" Foscam MJPEG based camera models. Which means that ANY Foscam camera owner who has upgraded their firmware for their MJPEG based cameras. WILL encounter this issue with your applications, as they are today. Hopefully, this will allow you to visualize, the extent of this problem and how many posts will be required to be answered, in the Foscam community forum, until this issue is resolved by you.
Please contact Foscam ASAP and ask that you can be "In the loop", as many developers have done, when changes like this take place in the future.
Since it's possible that not all Foscam based MJPEG camera owners who use your application, will upgrade to this firmware and future firmware releases. For their Foscam based MJPEG cameras. You will need to query the "get_status.cgi" to determine what the current version of firmware is for a specific camera. This will allow you to parse the system firmware version to determine how your logon to a specific camera, should be formatted. You could also create a option for your application to enable/disable this new feature.
If you don't implement this check/new option, as part of your fix, then you could make your application, non-functional, for Foscam camera owners, who had no issues with your application and their Foscam cameras, prior to making your changes.
Just trying to avoid another round of this issue taking place, in the near future. When you implement any changes.
Thanks.
Don
-
Thank you, Don, for letting us know about the demo camera.
It looks like the new firmware will support the following MJPEG URL that is compatible with the iCamSource: http://IP:PORT/videostream.cgi?user=USERNAME&pwd=PASSWORD
Instead of entering the camera's login and password into the iCamSource, they are now included in the URL itself. Just replace IP, PORT, USERNAME, and PASSWORD with the appropriate value for your camera.
The Pan-Tilt and audio functionalities likely will not work, however, so that will be something we will need to change in the iCamSource to support.
As for the rest of your post saying that it is our responsibility to keep "in touch" with every IP camera manufacturer out there (we are aware of more than a hundred in our IP camera database) so that they can let us know when they are going to break an existing functionality in their cameras ... Well, I think that your position as a Foscam Community Forum Moderator gives you quite a different perspective than we have on the matter.
-
Thank you, Don, for letting us know about the demo camera.
It looks like the new firmware will support the following MJPEG URL that is compatible with the iCamSource: http://IP:PORT/videostream.cgi?user=USERNAME&pwd=PASSWORD
Instead of entering the camera's login and password into the iCamSource, they are now included in the URL itself. Just replace IP, PORT, USERNAME, and PASSWORD with the appropriate value for your camera.
The Pan-Tilt and audio functionalities likely will not work, however, so that will be something we will need to change in the iCamSource to support.
As for the rest of your post saying that it is our responsibility to keep "in touch" with every IP camera manufacturer out there (we are aware of more than a hundred in our IP camera database) so that they can let us know when they are going to break an existing functionality in their cameras ... Well, I think that your position as a Foscam Community Forum Moderator gives you quite a different perspective than we have on the matter.
You are very welcome.
I can only say, that I don't enjoy donating my time, as I do as a free resource, in the Foscam community forum. To answering questions about third party application issues, that could have been avoided easily, when I could instead be helping camera owners with other issues. Doing so, also has no positive benefits to your application(s) reputation, which only potentially harms future sales.
I am and have been, a systems programmer consultant, for over 43 years now. I am and have been a third party developer, for many decades as well. Including Foscam interfaces, as well as many others, over the years.
If you have any doubts about my background? Since I currently am not allowed to include links in my posts here. I can only suggest that you do a Google search on "TheUberOverLord" without the double quotes and then clicking on the togetherweserved link shown, for more details about me.
IMHO. When anyone takes money for a third party application, they should also be responsible enough, to ask to receive an email by any manufacturer, when changes like this are made, that could impact their application. In this case, that option, is and was available. No "busy work" was required, minus requesting to be on a manufacturers email list, once. This is SOP ("Standard Operating Procedure") really, Developer 101. Most IP Camera manufacturers, like Foscam. Have email lists, that you can request to be added to, as a third party developer, so that when changes like these take place. You will know about them ahead of time and have time to test any modifications you make as well.
I suggest making requests like this, because over time. Camera owners will and do start trash-talking third party software when they become angry enough. In most cases, posts like these are not deleted and remain in forums, like the Foscam community forum. If the poster controls their language, which again, does your application no good, now or in the future.
So my feelings about this issue, are not simply based on being a Foscam "Community" moderator. They are based on my experience, as well as being a developer of several different applications for several hundred's of manufacturers, for a very long time.
Don
-
As for the rest of your post saying that it is our responsibility to keep "in touch" with every IP camera manufacturer out there (we are aware of more than a hundred in our IP camera database) so that they can let us know when they are going to break an existing functionality in their cameras ... Well, I think that your position as a Foscam Community Forum Moderator gives you quite a different perspective than we have on the matter.
This.
Don, I appreciate your tempered and tactful response, but don't you think a simple email to the developers of these apps would have been helpful to warn them of potential breakage? I suppose that's where my frustration came in.
-
Stefan/iCam Dev,
Thank you for the temp fix! It works so far. Is there any way to asterisk out the password? As of now anyone can see my iCam password. This really isn't a big deal (at least it works!!), but would be great if we could get more security in protecting password.
-
As for the rest of your post saying that it is our responsibility to keep "in touch" with every IP camera manufacturer out there (we are aware of more than a hundred in our IP camera database) so that they can let us know when they are going to break an existing functionality in their cameras ... Well, I think that your position as a Foscam Community Forum Moderator gives you quite a different perspective than we have on the matter.
This.
Don, I appreciate your tempered and tactful response, but don't you think a simple email to the developers of these apps would have been helpful to warn them of potential breakage? I suppose that's where my frustration came in.
It's important to understand. That the SDKs ("Software Developer Kits") provided by Foscam are in the public domain. Because of this. Foscam really has no idea, whatsoever, as to whom has or will create an application for Foscam cameras. It has always been this way for many years. So it's impossible for Foscam, to auto-add any email address, to a email list of developers, who should or want to be informed of any major changes, by Foscam.
Maybe I am "Old School" but ALL developers that charge money for their third party applications, who care about their customer base, that I know. Take the extra step of contacting any and all manufacturers which their applications are sold to work with, to their paying customers of those applications. So that situations like this can be avoided.
IMHO. This is the only correct approach. To do otherwise, places a heavy burden on others, as well as creates undue damage to your current customer base and for future sales of said application.
Again, IMHO the number of manufacturers an application can interface to, should never be an excuse to not attempt to get on these manufacturers mailing lists for developers to be informed of major changes by those manufacturers.
I wish I could post links in this forum currently to better help explain this, but currently I am not allowed to because I am new to this forum.
This new Foscam firmware is VERY important to install ASAP. As I have mentioned to you, in the Foscam forum. Foscam MJPEG based camera owners who might delay installing that firmware because of issues they might have with this application are running a risk of having their cameras exploited, while waiting.
Again. While you are worried about the Foscam FI8910W camera model. All Foscam MJPEG based camera models will have issues with this application, when they install the most current firmware for their Foscam MJPEG based camera models, until this issue is resolved. So this issue will continue to be reported and grow as other camera owners realize, that their cameras will not work once they have installed this latest Foscam firmware, in their Foscam MJPEG based cameras. With this application.
Worse case. If a camera owner does not install the most current firmware for their Foscam camera. Those cameras could be exploited where email, FTP and DDNS passwords could be gathered. So, each camera owner has to decide what the acceptable risk is. This is why delaying installing this latest firmware while waiting for a fix for this application, might not be the best choice. For every camera owner.
It's because of this, that personally, I think developers should use due diligence, to avoid ever placing camera owners in a position like this one, when possible. Especially more so, when those applications are at cost, to camera owners. All this said. The same due diligence applies to virtually any third party application, not only camera applications.
Don
-
Respectfully, I agree with sev. iCam is simply an app that supports virtually any MJPEG-based IP camera. It's not SKJM's fault that FOSCAM programmed security holes into their cameras and that they had to change the (authentication?) functionality in a manner that is apparently incompatible with virtually every other IP camera. Of course, maybe that begs the question: is the authentication method of all other MJPEG-based IP cameras at risk?
One last question: I have a LOFTEK CXS-2200 camera, which appears to be a FOSCAM knockoff. There are at least a few iCam users who use these cameras. Any idea if it suffers from the same security hole? If you don't know, do you know how hackers find these exploitable cameras (i.e. through random pings, through the built-in proxy support, etc)? The first thing I did when I got this camera (before there was a widely-known FOSCAM security hole) was to disable the built-in proxy through their Chinese server, disable uPNP, ensure no ports were forwarded to the camera from outside the network, etc. Hopefully, those steps are enough. :-/
Anyway, thank you for stopping by...and especially for reminding everyone that this is a serious risk. It's crazy how lax some people are about security. If you have links that contain more information about the exploit, etc, feel free to PM them to me and I'll be happy to post them. I'm sure SKJM would post them too. I know you don't have time to read around on the forums, but if you did, I think you'd leave with the impression that they do a really great job with customer support...especially for a $5 app.
-
Respectfully, I agree with sev. iCam is simply an app that supports virtually any MJPEG-based IP camera. It's not SKJM's fault that FOSCAM programmed security holes into their cameras and that they had to change the (authentication?) functionality in a manner that is apparently incompatible with virtually every other IP camera. Of course, maybe that begs the question: is the authentication method of all other MJPEG-based IP cameras at risk?
One last question: I have a LOFTEK CXS-2200 camera, which appears to be a FOSCAM knockoff. There are at least a few iCam users who use these cameras. Any idea if it suffers from the same security hole? If you don't know, do you know how hackers find these exploitable cameras (i.e. through random pings, through the built-in proxy support, etc)? The first thing I did when I got this camera (before there was a widely-known FOSCAM security hole) was to disable the built-in proxy through their Chinese server, disable uPNP, ensure no ports were forwarded to the camera from outside the network, etc. Hopefully, those steps are enough. :-/
Anyway, thank you for stopping by...and especially for reminding everyone that this is a serious risk. It's crazy how lax some people are about security. If you have links that contain more information about the exploit, etc, feel free to PM them to me and I'll be happy to post them. I'm sure SKJM would post them too. I know you don't have time to read around on the forums, but if you did, I think you'd leave with the impression that they do a really great job with customer support...especially for a $5 app.
Currently. As stated earlier, because I am new here, I am not allowed to include links in my posts. I do have links that are helpful that explain how hackers can easily locate specific camera types to exploit. But because of this limitation, I can't post them here.
If you do a Google search on exactly "New IP Camera Exploits You Need To Be Aware Of" without the double quotes, you will see my topic about this subject matter, which is located at openipcam.
My suggestions here are to try and help avoid situations like this in the future. They are win win suggestions for both developers and camera owners. In the end, it's up to the developers to decide, if they will change their methods. I try to give solutions vs. simply complain about something.
Don
-
He's talking about Shodan and read this PDF. It is (very) scary:
http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Sergey%20Shekyan%20and%20Artem%20Harutyunyan%20-%20Turning%20Your%20Surveillance%20Camera%20Against%20You.pdf
-
He's talking about Shodan and read this PDF. It is (very) scary:
http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Sergey%20Shekyan%20and%20Artem%20Harutyunyan%20-%20Turning%20Your%20Surveillance%20Camera%20Against%20You.pdf
Correct!
As you can see. This is another reason to NOT delay installing the most current version of firmware for your cameras. Because these same hackers will attempt to see if a camera owner is currently protected from this or that exploit. Once Foscam says what is fixed in this or that firmware release, in the read me file, that is included in the firmware release. Hackers then learn quickly that prior versions of firmware are NOT protected, from what was fixed in that firmware release. Which is also the case for the x.x.x.54 firmware release.
Don
-
FYI for fellow LOFTEK users, LOFTEK does have an updated firmware (lr_cmos_21_37_2_52.bin) for the CXS-2200 here: http://www.loftek.us/downloads/category/5
Breath easy...it does not reset the camera to default factory pain-in-the-ass settings...my current settings were preserved. Also, it does not break the authentication function in the same manner as FOSCAM's update, so no alternate link is necessary. Thanks again for the heads-up Don.
-
Stefan/iCam Dev,
Thank you for the temp fix! It works so far. Is there any way to asterisk out the password? As of now anyone can see my iCam password. This really isn't a big deal (at least it works!!), but would be great if we could get more security in protecting password.
Not currently (as it is a part of the URL) but when we release the updated version of the iCamSource that supports the new authentication you should be able to enter the login and password in the appropriate edit boxes in the iCamSource, just like you did before, so the password would once again be asterisk-ed out.
Respectfully, I agree with sev. iCam is simply an app that supports virtually any MJPEG-based IP camera. It's not SKJM's fault that FOSCAM programmed security holes into their cameras and that they had to change the (authentication?) functionality in a manner that is apparently incompatible with virtually every other IP camera. Of course, maybe that begs the question: is the authentication method of all other MJPEG-based IP cameras at risk?
Anyway, thank you for stopping by...and especially for reminding everyone that this is a serious risk. It's crazy how lax some people are about security. If you have links that contain more information about the exploit, etc, feel free to PM them to me and I'll be happy to post them. I'm sure SKJM would post them too. I know you don't have time to read around on the forums, but if you did, I think you'd leave with the impression that they do a really great job with customer support...especially for a $5 app.
Thank you for your post, OUAnthony. :)
Don, like OUAnthony said, iCam isn't a dedicated IP camera app ... It is primarily used to monitor computer-connected webcams from a mobile device. The iCamSource application running on a computer monitors the video feed to record motion events and send notifications to the mobile device when motion is detected.
In response to user requests early on, we added general IP camera support for cameras that supported MJPEG and HTTP Basic Authentication, which a lot of them do. When Foscam removed the HTTP Basic Authentication (which I don't understand, since they replaced it with sending the login and password in the clear as a part of the HTTP GET request) then their cameras were no longer compatible with the iCamSource and iCam. Since a number of our users do use Foscam cameras, we are going to make the appropriate changes to the iCamSource to continue to support them, but I believe that it would have been a perfectly acceptable response to simply state that we no longer supported or recommended Foscam cameras due to them removing support for standard Basic HTTP Authentication.
Finally, if you want to post links but are a new member (the forum limits posting links to reduce spam), you can post them and replace the "http" with "hxxp" or something similar. We can then copy-and-paste them into our web browsers, changing the "hxxp" back to "http" to visit them.
Thanks again for the opinions, information, and feedback, Don. Hope you have a good rest of your weekend. :)
-
sev, what operating system are you running on your computer, Mac OS X or Windows? We should have a version available shortly for you to try out that should fix this issue.
-
Here are the Mac versions:
Mac OS X 10.6 (Snow Leopard) and later - http://skjm.com/icam/iCamSource2.7.2.dmg
Mac OS X 10.4 & 10.5 (Tiger & Leopard) - http://skjm.com/icam/iCamSource_Tiger_Leopard_2.7.2.dmg
We'll work on putting together the Windows version next.
-
Version 2.7.2 of the iCamSource should fix this new Foscam firmware issue, now available for both Mac and Windows: http://skjm.com/forum/index.php?topic=6000.0
-
Will this update maintain support the original authentication method as well? I ask because LOFTEK is a FOSCAM-knockoff...but the original authentication method still works (even after the security update). Thanks!
-
Will this update maintain support the original authentication method as well? I ask because LOFTEK is a FOSCAM-knockoff...but the original authentication method still works (even after the security update). Thanks!
Yes, it supports both the old and the new authentication. :)