As you can see. This is another reason to NOT delay installing the most current version of firmware for your cameras. Because these same hackers will attempt to see if a camera owner is currently protected from this or that exploit. Once Foscam says what is fixed in this or that firmware release, in the read me file, that is included in the firmware release. Hackers then learn quickly that prior versions of firmware are NOT protected, from what was fixed in that firmware release. Which is also the case for the x.x.x.54 firmware release.
Respectfully, I agree with sev. iCam is simply an app that supports virtually any MJPEG-based IP camera. It's not SKJM's fault that FOSCAM programmed security holes into their cameras and that they had to change the (authentication?) functionality in a manner that is apparently incompatible with virtually every other IP camera. Of course, maybe that begs the question: is the authentication method of all other MJPEG-based IP cameras at risk?
One last question: I have a LOFTEK CXS-2200 camera, which appears to be a FOSCAM knockoff. There are at least a few iCam users who use these cameras. Any idea if it suffers from the same security hole? If you don't know, do you know how hackers find these exploitable cameras (i.e. through random pings, through the built-in proxy support, etc)? The first thing I did when I got this camera (before there was a widely-known FOSCAM security hole) was to disable the built-in proxy through their Chinese server, disable uPNP, ensure no ports were forwarded to the camera from outside the network, etc. Hopefully, those steps are enough. :-/
Anyway, thank you for stopping by...and especially for reminding everyone that this is a serious risk. It's crazy how lax some people are about security. If you have links that contain more information about the exploit, etc, feel free to PM them to me and I'll be happy to post them. I'm sure SKJM would post them too. I know you don't have time to read around on the forums, but if you did, I think you'd leave with the impression that they do a really great job with customer support...especially for a $5 app.
Currently. As stated earlier, because I am new here, I am not allowed to include links in my posts. I do have links that are helpful that explain how hackers can easily locate specific camera types to exploit. But because of this limitation, I can't post them here.
If you do a Google search on exactly "New IP Camera Exploits You Need To Be Aware Of" without the double quotes, you will see my topic about this subject matter, which is located at openipcam.
My suggestions here are to try and help avoid situations like this in the future. They are win win suggestions for both developers and camera owners. In the end, it's up to the developers to decide, if they will change their methods. I try to give solutions vs. simply complain about something.
As for the rest of your post saying that it is our responsibility to keep "in touch" with every IP camera manufacturer out there (we are aware of more than a hundred in our IP camera database) so that they can let us know when they are going to break an existing functionality in their cameras ... Well, I think that your position as a Foscam Community Forum Moderator gives you quite a different perspective than we have on the matter.
This.
Don, I appreciate your tempered and tactful response, but don't you think a simple email to the developers of these apps would have been helpful to warn them of potential breakage? I suppose that's where my frustration came in.
It's important to understand. That the SDKs ("Software Developer Kits") provided by Foscam are in the public domain. Because of this. Foscam really has no idea, whatsoever, as to whom has or will create an application for Foscam cameras. It has always been this way for many years. So it's impossible for Foscam, to auto-add any email address, to a email list of developers, who should or want to be informed of any major changes, by Foscam.
Maybe I am "Old School" but ALL developers that charge money for their third party applications, who care about their customer base, that I know. Take the extra step of contacting any and all manufacturers which their applications are sold to work with, to their paying customers of those applications. So that situations like this can be avoided.
IMHO. This is the only correct approach. To do otherwise, places a heavy burden on others, as well as creates undue damage to your current customer base and for future sales of said application.
Again, IMHO the number of manufacturers an application can interface to, should never be an excuse to not attempt to get on these manufacturers mailing lists for developers to be informed of major changes by those manufacturers.
I wish I could post links in this forum currently to better help explain this, but currently I am not allowed to because I am new to this forum.
This new Foscam firmware is VERY important to install ASAP. As I have mentioned to you, in the Foscam forum. Foscam MJPEG based camera owners who might delay installing that firmware because of issues they might have with this application are running a risk of having their cameras exploited, while waiting.
Again. While you are worried about the Foscam FI8910W camera model. All Foscam MJPEG based camera models will have issues with this application, when they install the most current firmware for their Foscam MJPEG based camera models, until this issue is resolved. So this issue will continue to be reported and grow as other camera owners realize, that their cameras will not work once they have installed this latest Foscam firmware, in their Foscam MJPEG based cameras. With this application.
Worse case. If a camera owner does not install the most current firmware for their Foscam camera. Those cameras could be exploited where email, FTP and DDNS passwords could be gathered. So, each camera owner has to decide what the acceptable risk is. This is why delaying installing this latest firmware while waiting for a fix for this application, might not be the best choice. For every camera owner.
It's because of this, that personally, I think developers should use due diligence, to avoid ever placing camera owners in a position like this one, when possible. Especially more so, when those applications are at cost, to camera owners. All this said. The same due diligence applies to virtually any third party application, not only camera applications.
Instead of entering the camera's login and password into the iCamSource, they are now included in the URL itself. Just replace IP, PORT, USERNAME, and PASSWORD with the appropriate value for your camera.
The Pan-Tilt and audio functionalities likely will not work, however, so that will be something we will need to change in the iCamSource to support.
As for the rest of your post saying that it is our responsibility to keep "in touch" with every IP camera manufacturer out there (we are aware of more than a hundred in our IP camera database) so that they can let us know when they are going to break an existing functionality in their cameras ... Well, I think that your position as a Foscam Community Forum Moderator gives you quite a different perspective than we have on the matter.
You are very welcome.
I can only say, that I don't enjoy donating my time, as I do as a free resource, in the Foscam community forum. To answering questions about third party application issues, that could have been avoided easily, when I could instead be helping camera owners with other issues. Doing so, also has no positive benefits to your application(s) reputation, which only potentially harms future sales.
I am and have been, a systems programmer consultant, for over 43 years now. I am and have been a third party developer, for many decades as well. Including Foscam interfaces, as well as many others, over the years.
If you have any doubts about my background? Since I currently am not allowed to include links in my posts here. I can only suggest that you do a Google search on "TheUberOverLord" without the double quotes and then clicking on the togetherweserved link shown, for more details about me.
IMHO. When anyone takes money for a third party application, they should also be responsible enough, to ask to receive an email by any manufacturer, when changes like this are made, that could impact their application. In this case, that option, is and was available. No "busy work" was required, minus requesting to be on a manufacturers email list, once. This is SOP ("Standard Operating Procedure") really, Developer 101. Most IP Camera manufacturers, like Foscam. Have email lists, that you can request to be added to, as a third party developer, so that when changes like these take place. You will know about them ahead of time and have time to test any modifications you make as well.
I suggest making requests like this, because over time. Camera owners will and do start trash-talking third party software when they become angry enough. In most cases, posts like these are not deleted and remain in forums, like the Foscam community forum. If the poster controls their language, which again, does your application no good, now or in the future.
So my feelings about this issue, are not simply based on being a Foscam "Community" moderator. They are based on my experience, as well as being a developer of several different applications for several hundred's of manufacturers, for a very long time.
There is a Foscam FI8910W that IS using this version of firmware that is a public Foscam Demo camera:
Please do a search on "Foscam demo" look for com not us results. Then choose the FI8910W demo camera, located there.
Note: Your forum would not allow me to make a forum link to where the Foscam demo camera is located for the FI8910W demo camera with the latest firmware version of x.x.x.54
IMHO. Third party software developers NEED to be proactive and keep "In Touch" with the camera manufacturers that they create software for. Camera owners should NOT be required to inform third party software suppliers of changes, when those developer can be informed via the manufacturers. This also places a large burden on the support forums for those manufacturers, who are also burdened in answering questions on "Why" this or that third party software, no longer works. Plus, it does NOT help the overall reputation of that third party software. When doing so.
Also, any camera owner who delays installing these latest Foscam firmware releases, due to trying to NOT cause issues with your application(s) and those cameras. Will be exposed to some security issues during that delay. Which is NOT good for those camera owners, who could have their cameras exploited, while waiting for your fixes.
I know this, because I am a moderator, in the Foscam community Forums.
Additionally. In this case, there was little effort made, to locate a Foscam demo camera, that could be used for testing that in fact has this version of firmware. Once again, placing the burden on camera owners, as well as myself, instead.
One can always post in the Foscam community forum to ask if a Foscam Demo camera is presently available for a specific camera model that has a specific version of firmware or contact Foscam using many different methods, to do same vs. Placing this burden on camera owners, first.
The reason "WHY" this upsets me as it does. Is because myself and others, in the Foscam community forum, will be "Stuck" answering camera owners questions about this issue, until you resolve this issue. Which could be many days or weeks before all versions of your application are changed and published. Even afterwards, it may require those camera owners be informed by others, including myself. That there is NOW a new version of your application, that is available, that fixes, this issue.
Please also note. This new Foscam firmware release, covers virtually "ALL" Foscam MJPEG based camera models. Which means that ANY Foscam camera owner who has upgraded their firmware for their MJPEG based cameras. WILL encounter this issue with your applications, as they are today. Hopefully, this will allow you to visualize, the extent of this problem and how many posts will be required to be answered, in the Foscam community forum, until this issue is resolved by you.
Please contact Foscam ASAP and ask that you can be "In the loop", as many developers have done, when changes like this take place in the future.
Since it's possible that not all Foscam based MJPEG camera owners who use your application, will upgrade to this firmware and future firmware releases. For their Foscam based MJPEG cameras. You will need to query the "get_status.cgi" to determine what the current version of firmware is for a specific camera. This will allow you to parse the system firmware version to determine how your logon to a specific camera, should be formatted. You could also create a option for your application to enable/disable this new feature.
If you don't implement this check/new option, as part of your fix, then you could make your application, non-functional, for Foscam camera owners, who had no issues with your application and their Foscam cameras, prior to making your changes.
Just trying to avoid another round of this issue taking place, in the near future. When you implement any changes.
Show Posts