URGENT: Foscam 8910W FW 11.37.2.54/2.4.10.7 breaks iCAM!!!

[OUAnthony]

Respectfully, I agree with sev. iCam is simply an app that supports virtually any MJPEG-based IP camera. It's not SKJM's fault that FOSCAM programmed security holes into their cameras and that they had to change the (authentication?) functionality in a manner that is apparently incompatible with virtually every other IP camera. Of course, maybe that begs the question: is the authentication method of all other MJPEG-based IP cameras at risk?

One last question: I have a LOFTEK CXS-2200 camera, which appears to be a FOSCAM knockoff. There are at least a few iCam users who use these cameras. Any idea if it suffers from the same security hole? If you don't know, do you know how hackers find these exploitable cameras (i.e. through random pings, through the built-in proxy support, etc)? The first thing I did when I got this camera (before there was a widely-known FOSCAM security hole) was to disable the built-in proxy through their Chinese server, disable uPNP, ensure no ports were forwarded to the camera from outside the network, etc. Hopefully, those steps are enough. :-/

Anyway, thank you for stopping by...and especially for reminding everyone that this is a serious risk. It's crazy how lax some people are about security. If you have links that contain more information about the exploit, etc, feel free to PM them to me and I'll be happy to post them. I'm sure SKJM would post them too. I know you don't have time to read around on the forums, but if you did, I think you'd leave with the impression that they do a really great job with customer support...especially for a $5 app.

[TheUberOverLord]

Respectfully, I agree with sev. iCam is simply an app that supports virtually any MJPEG-based IP camera. It's not SKJM's fault that FOSCAM programmed security holes into their cameras and that they had to change the (authentication?) functionality in a manner that is apparently incompatible with virtually every other IP camera. Of course, maybe that begs the question: is the authentication method of all other MJPEG-based IP cameras at risk?

One last question: I have a LOFTEK CXS-2200 camera, which appears to be a FOSCAM knockoff. There are at least a few iCam users who use these cameras. Any idea if it suffers from the same security hole? If you don't know, do you know how hackers find these exploitable cameras (i.e. through random pings, through the built-in proxy support, etc)? The first thing I did when I got this camera (before there was a widely-known FOSCAM security hole) was to disable the built-in proxy through their Chinese server, disable uPNP, ensure no ports were forwarded to the camera from outside the network, etc. Hopefully, those steps are enough. :-/

Anyway, thank you for stopping by...and especially for reminding everyone that this is a serious risk. It's crazy how lax some people are about security. If you have links that contain more information about the exploit, etc, feel free to PM them to me and I'll be happy to post them. I'm sure SKJM would post them too. I know you don't have time to read around on the forums, but if you did, I think you'd leave with the impression that they do a really great job with customer support...especially for a $5 app.

Currently. As stated earlier, because I am new here, I am not allowed to include links in my posts. I do have links that are helpful that explain how hackers can easily locate specific camera types to exploit. But because of this limitation, I can't post them here.

If you do a Google search on exactly "New IP Camera Exploits You Need To Be Aware Of" without the double quotes, you will see my topic about this subject matter, which is located at openipcam.

My suggestions here are to try and help avoid situations like this in the future. They are win win suggestions for both developers and camera owners. In the end, it's up to the developers to decide, if they will change their methods. I try to give solutions vs. simply complain about something.

Don

[sev]

He's talking about Shodan and read this PDF. It is (very) scary:

http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Sergey%20Shekyan%20and%20Artem%20Harutyunyan%20-%20Turning%20Your%20Surveillance%20Camera%20Against%20You.pdf

[TheUberOverLord]

He's talking about Shodan and read this PDF. It is (very) scary:

http://conference.hitb.org/hitbsecconf2013ams/materials/D2T1%20-%20Sergey%20Shekyan%20and%20Artem%20Harutyunyan%20-%20Turning%20Your%20Surveillance%20Camera%20Against%20You.pdf

Correct!

As you can see. This is another reason to NOT delay installing the most current version of firmware for your cameras. Because these same hackers will attempt to see if a camera owner is currently protected from this or that exploit. Once Foscam says what is fixed in this or that firmware release, in the read me file, that is included in the firmware release. Hackers then learn quickly that prior versions of firmware are NOT protected, from what was fixed in that firmware release. Which is also the case for the x.x.x.54 firmware release.

Don

[OUAnthony]

FYI for fellow LOFTEK users, LOFTEK does have an updated firmware (lr_cmos_21_37_2_52.bin) for the CXS-2200 here: http://www.loftek.us/downloads/category/5

Breath easy...it does not reset the camera to default factory pain-in-the-ass settings...my current settings were preserved. Also, it does not break the authentication function in the same manner as FOSCAM's update, so no alternate link is necessary. Thanks again for the heads-up Don.

[Stefan]

Stefan/iCam Dev,

Thank you for the temp fix! It works so far.  Is there any way to asterisk out the password?  As of now anyone can see my iCam password. This really isn't a big deal (at least it works!!), but would be great if we could get more security in protecting password.

Not currently (as it is a part of the URL) but when we release the updated version of the iCamSource that supports the new authentication you should be able to enter the login and password in the appropriate edit boxes in the iCamSource, just like you did before, so the password would once again be asterisk-ed out.

Respectfully, I agree with sev. iCam is simply an app that supports virtually any MJPEG-based IP camera. It's not SKJM's fault that FOSCAM programmed security holes into their cameras and that they had to change the (authentication?) functionality in a manner that is apparently incompatible with virtually every other IP camera. Of course, maybe that begs the question: is the authentication method of all other MJPEG-based IP cameras at risk?

Anyway, thank you for stopping by...and especially for reminding everyone that this is a serious risk. It's crazy how lax some people are about security. If you have links that contain more information about the exploit, etc, feel free to PM them to me and I'll be happy to post them. I'm sure SKJM would post them too. I know you don't have time to read around on the forums, but if you did, I think you'd leave with the impression that they do a really great job with customer support...especially for a $5 app.

Thank you for your post, OUAnthony.

Don, like OUAnthony said, iCam isn't a dedicated IP camera app ... It is primarily used to monitor computer-connected webcams from a mobile device. The iCamSource application running on a computer monitors the video feed to record motion events and send notifications to the mobile device when motion is detected.

In response to user requests early on, we added general IP camera support for cameras that supported MJPEG and HTTP Basic Authentication, which a lot of them do. When Foscam removed the HTTP Basic Authentication (which I don't understand, since they replaced it with sending the login and password in the clear as a part of the HTTP GET request) then their cameras were no longer compatible with the iCamSource and iCam. Since a number of our users do use Foscam cameras, we are going to make the appropriate changes to the iCamSource to continue to support them, but I believe that it would have been a perfectly acceptable response to simply state that we no longer supported or recommended Foscam cameras due to them removing support for standard Basic HTTP Authentication.

Finally, if you want to post links but are a new member (the forum limits posting links to reduce spam), you can post them and replace the "http" with "hxxp" or something similar. We can then copy-and-paste them into our web browsers, changing the "hxxp" back to "http" to visit them.

Thanks again for the opinions, information, and feedback, Don. Hope you have a good rest of your weekend.

[Stefan]

sev, what operating system are you running on your computer, Mac OS X or Windows? We should have a version available shortly for you to try out that should fix this issue.

[Stefan]

Here are the Mac versions:

Mac OS X 10.6 (Snow Leopard) and later - http://skjm.com/icam/iCamSource2.7.2.dmg
Mac OS X 10.4 & 10.5 (Tiger & Leopard) - http://skjm.com/icam/iCamSource_Tiger_Leopard_2.7.2.dmg

We'll work on putting together the Windows version next.

[Stefan]

Version 2.7.2 of the iCamSource should fix this new Foscam firmware issue, now available for both Mac and Windows: http://skjm.com/forum/index.php?topic=6000.0

[OUAnthony]

Will this update maintain support the original authentication method as well? I ask because LOFTEK is a FOSCAM-knockoff...but the original authentication method still works (even after the security update). Thanks!

[Stefan]

Will this update maintain support the original authentication method as well? I ask because LOFTEK is a FOSCAM-knockoff...but the original authentication method still works (even after the security update). Thanks!

Yes, it supports both the old and the new authentication.