Hardcoded passwords could cause full IoT camera compromise
Security researchers found a number of vulnerabilities in two models of IoT cameras that could allow attackers to fully compromise the IoT devices and repurpose them for malicious activity.
A report by F-Secure detailed 18 flaws in the Opticam i5, made by Foscam, and found many of those same flaws in the Foscam C2. F-Secure only investigated the two devices, but said “it is likely that many of these vulnerabilities also exist in other models throughout the company’s product line, and in other products Foscam manufactures,” under inexpensive white label branding.
One of the most critical vulnerabilities in the devices was the use of non-random, default hardcoded passwords both for admin access to the web user interface and the user account for the built-in FTP server of the IoT cameras. The hardcoded passwords are even more insecure because they are “blank,” meaning an attacker could log in to the device with the ID “admin” and no password would be required. And, this hardcoded password could even be used to bypass custom user credentials. Read more…
