September 29, 2017 |

Multiple flaws in Foscam IP cameras open devices, networks to attackers

Insecure IP cameras are yet another example of IoT devices that are not built to withstand the threat landscape of the internet. Buckinghamshire, UK – 7th June 2017: F-Secure has discovered multiple vulnerabilities in two Foscam-made IP cameras that open the devices up to easy compromise by online attackers when exposed to the internet. The […]

Insecure IP cameras are yet another example of IoT devices that are not built to withstand the threat landscape of the internet.

Buckinghamshire, UK – 7th June 2017: F-Secure has discovered multiple vulnerabilities in two Foscam-made IP cameras that open the devices up to easy compromise by online attackers when exposed to the internet. The vulnerabilities allow an attacker to remotely control a device and its video feed and download files from its built-in server. If an exploited device has access to a local area network, the attacker could access the network and its resources. An attacker could also use a device to perform other malicious activity, such as DDoS attacks against other parties.


“These vulnerabilities are as bad as it gets,” said Harry Sintonen, senior security consultant at F-Secure, who found the vulnerabilities. “They allow an attacker to pretty much do whatever he wants. An attacker can exploit them one by one, or mix and match to get greater degrees of privilege inside the device and the network.”


The discovery is the latest in a long list of internet-enabled “things,” or smart devices, that are not adequately secured to withstand modern attacks that take place constantly across the internet. Smart cars, CCTV cameras, DVRs, water kettles and routers are just some of the devices that have been found to be woefully insecure. The problem has been magnified by botnets such as Mirai, which co-opted internet-exposed insecure cameras and DVRs to orchestrate last October’s giant internet outage – the largest DDoS attack against the internet infrastructure in history.


The vulnerabilities, which number 18 in total, offer an attacker multiple ways to compromise the device. Insecure, hard-coded and empty credentials give attackers easy administrator level access allowing full control over the device. The software neglects to restrict access to critical files and directories, allowing an attacker to modify them with their own commands. An attacker can also perform remote command injection, cross-site scripting, buffer overflows and brute force password attacks, among other malicious actions, to ultimately fully compromise the device and access the network.


“Security has been ignored in the design of these products,” said Janne Kauhanen, cyber security expert at F-Secure. “The developers’ main concern is to get them working and ship them. This lack of attention to security puts users and their networks at risk. The irony is that this device is marketed as a way of making the physical environment more secure – however, it makes the virtual environment less so.”


Chinese manufacturer Foscam makes a number of IP cameras. Some are white-labeled and sold under various other brand names, one of which is OptiCam. The two models Sintonen investigated are the OptiCam i5 HD device and the Foscam C2. Sintonen says it’s likely many of these vulnerabilities also exist in other products Foscam manufactures.

Sintonen recommends keeping these devices in a separate network, not exposed to the internet. “Changing the default password is also a best practice that should always be followed,” he said. “Unfortunately, with these devices, hard-coded credentials can allow an attacker bypass the password even if it’s changed.”

Foscam has been notified about the vulnerabilities several months ago but to date, a fix has not been issued.


More information, including mitigation recommendations, can be found in the full report and blog post here.




More Information

Of Cameras & Compromise: How IoT Can Dull Your Competitive Edge

Foscam IP Cameras Show Why It’s So Hard to Secure the IoT

Video: Connected, and Compromised



About F-Secure

Nobody knows cyber security like F-Secure. For three decades, F-Secure has driven innovations in cyber security, defending tens of thousands of companies and millions of people. With unsurpassed experience in endpoint protection as well as detection and response, F-Secure shields enterprises and consumers against everything from advanced cyber attacks and data breaches to widespread ransomware infections. F-Secure’s sophisticated technology combines the power of machine learning with the human expertise of its world-renowned security labs for a singular approach called Live Security. F-Secure’s security experts have participated in more European cyber crime scene investigations than any other company in the market, and its products are sold all over the world by over 200 broadband and mobile operators and thousands of resellers.


Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd. |

F-Secure media relations 

Geoff Dorrington

PR manager, F-Secure UK & Ireland


T: 01753 376592




Latest Events
Press Archives
Select Year

Latest Press Releases

March 15, 2018

F-Secure’s Aviation Cyber Security Services Takes Off

F-Secure’s new service combines expertise in aviation and cyber security to help aviation companies protect their most critical assets. Buckinghamshire, UK – March 15, 2018: Trust is everything in the aviation industry. And a successful cyber attack – even a minor one against something like an in-flight entertainment system – could undermine confidence in airlines […]

February 28, 2018

F-Secure Introduces Unique Partner-Driven Service to Stop Targeted Cyber Attacks Globally

Channel partners have immense new service opportunities to protect their customers from rising numbers of targeted and fileless attacks with a leading-edge managed endpoint detection and response service. Buckinghamshire, UK – February 28, 2018: Businesses globally are being compromised by an onslaught of targeted and fileless cyber attacks, and industry-leading cyber security vendor F-Secure is […]

February 22, 2018

Incident Detection, Email Attacks Continue to Cause Headaches for Companies

F-Secure’s new Incident Response Report points to email inboxes as the weakest link in security perimeters, and finds that companies struggle with quickly and accurately detecting security incidents. Buckinghamshire, UK – February 22, 2018: Over one-third of all security incidents start with phishing emails or malicious attachments sent to company employees, according to a new […]

February 14, 2018

F-Secure appoints Beta Distribution as a UK distributor of security solutions for corporate resellers

Buckinghamshire, UK – 14th February 2018: Global cyber security company F-Secure today announces the appointment of Beta Distribution as a UK distributor for corporate resellers. Beta Distribution, Headquartered in London and with offices throughout the UK, is a specialist product, services and solutions IT distributor which serves over 3,000 resellers across the UK, including over […]

%d bloggers like this: