BY: Follow @BillGertz
June 12, 2017 5:38 pm
A Chinese company warned Monday that some of its remote-controlled video cameras contain flaws that a security firm said could be used in cyber attacks and cyber espionage.
The notice sent by Foscam USA, a subsidiary of Foscam Intelligent Technology Co. Ltd. that sells internet-linked video cameras, said in an urgent notice that 12 models made by China-based Shenzhen Foscam contain security flaws.
The flaws could allow the cameras to be taken over and used in massive cyber strikes called distributed denial of service attacks.
“Foscam US has been notified of 18 security vulnerabilities that exist on cameras manufactured by Shenzhen Foscam which leave users vulnerable to hacks which allow attackers to remotely take-over cameras, live stream, download stored files, and even compromise other devices located on the local network,” the company said.
The company urged users to disconnect the cameras from the internet until the security vulnerabilities can be patched.
Foscam states on its website that it was founded in 2007 and “is among the top three civil IP camera producers in China.” It operates in more than 60 nations and regions including the United States, Canada, Brazil, France, Britain, and Singapore.
The email notice said the Chinese company has not yet provided a patch or fix to the cyber security issue.
The failure to patch the vulnerabilities has heightened fears among cyber security analysts who say the Chinese could be using the cameras for nefarious purposes.
The Washington Free Beacon reported June 6 that a Chinese cyber security firm was being used by the civilian spy service to conduct large-scale cyber espionage against the United States and other countries.
One private cyber security expert said the Foscam camera cyber security risk was highlighted by the major cyber attack that disrupted internet service in the eastern United States last fall.
That cyber attack triggered a partial U.S. internet blackout following three waves of cyber attacks using hijacked, unsecure internet devices that were taken over using the Mirai malware.
The target of the distributed denial of service attack was an internet hardware company in New Hampshire called Dyn.
The unidentified hackers created a massive network of hijacked devices—routers, cameras, DVRs, and similar internet devices—that were infected with the Mirai malware and exploited the devices software flaw to target Dyn with internet website requests.
It was one of the first major cyber attacks involving the use of the Internet of Things—millions of computerized devices that are connected to the internet, ranging from cars to refrigerators.
The massive hack was viewed by government officials and private security experts as a possible test run for a future cyber attack designed to disrupt or shut down internet service.
Foscam, short for focus camera, sent the notice after a report published June 7 by the security firm F-Secure revealed the security flaws.
“Foscam-made IP cameras have multiple vulnerabilities that can lead to full device compromise,” the report said.
Hackers could use the flaws to view the video feed, control the camera’s operation, and upload and download files from the built in server.
“They can stop or freeze the video feed, and use the compromised device for further actions such as [distributed denial of service] or other malicious activity,” the report said.
“If the device is in a corporate local area network, and the attacker gains access to the network, they can compromise the device and infect it with a persistent remote access malware,” the report added. “The malware would then allow the attacker unfettered access to the corporate network and the associated resources.”
The flaw built into the vulnerable cameras includes what the report called “hard-coded” passwords, which means “it is highly likely that malicious actors will gain access to the account.”
The report did not name Shenzhen Foscam but said the company that made the cameras did not respond to notifications about the security flaws and was given several months to respond.
“To date no fixes have been issued by the vendor,” the report said. “Because there appear to be no fixes available, we have refrained from publishing exploit code for practical proof-of-concept attacks.”
The FBI warned in a notice in November that American companies should take measures to protect against Mirai malware botnet attacks.
“The exploitation of the ‘Internet of Things’ (IOT) to conduct small-to-large scale attacks on the private industry will very likely continue due to the open availability of the malware source codes for targeting IoT devices and insufficient IOT device security,” the FBI’s Task Force stated in the notice.
Mirai uses a list of 62 commonly used usernames and passwords to scan the internet for vulnerable openings on internet devices.
The Dyn cyber attack employed hijacked home routers, network-enabled cameras, and digital video recorders.
“Recent reporting demonstrates that botnets comprised of [Internet of Things] devices can be used to conduct unprecedented and powerful attacks that can take down websites,” the FBI notice said.