Thousands of wireless Mini Spy Camera connected to the Internet have serious security weaknesses that allow attackers to hijack them and alter their firmware, according to two researchers from security firm Qualys.
The cameras are sold under the Foscam brand in the U.S., but the same devices can be found in Europe and elsewhere with different branding, said Qualys researchers Sergey Shekyan and Artem Harutyunyan, who analyzed the security small cc camera of the devices and are scheduled to present their findings at the Hack in the Box security conference in Amsterdam on Thursday.
Also, they noted one of five cameras lets users log in using the default "admin" username and no password.
They said attackers can also exploit a cross-site request forgery (CSRF) flaw by tricking the camera administrator to open a specifically crafted link that will create a new administrator account to the camera.
Attackers can likewise resort to brute-force attacks to guess the password - and may have an easier time as the passwords are limited to 12 characters, they added.
Worse, if the cameras are also connected to the local network, they can be used to attack local devices not accessible via the Internet, the researchers said.
Even though the vendor has patched this vulnerability in the latest firmware, 99% of Foscam cameras on the Internet are still running older firmware versions and are vulnerable, they said. There is also a way to exploit this vulnerability even with the latest firmware installed if you have operator-level credentials for the camera.
Another method is to exploit a cross-site request forgery (CSRF) flaw in the interface by tricking the camera administrator to open a specifically crafted link. This can be used to add a secondary administrator account to the camera.
A third method is to perform a brute-force attack in order to guess the spy camera hd password, because the camera has no protection against this and the passwords are limited to 12 characters, the researchers said.