Babycam hacking

Very scary BBC Article. Particularly relevant to Foscam/GadgetFreakz and Trendnet.

Some very dark possibilities!

Not scary, predictable! - anyone who knows anything about IT knows this is a possibility. Security in depth. This is why organizations don't just put all their servers straight onto the internet, that is why they have firewalls, subnets, etc, etc! If people aren't confident exposing their linux and UNIX servers or whatever straight to the WWW what chance does the programming of a cheapo home IP camera stand when exposed to the internet?

As for users who have had their cameras hacked because they have not changed the username and password, well they deserve what they get.

Sorry not much sympathy from me, we are not yet in this magical ultra secure IT environment that is predicted and home users still need to take responsibility and common sense for their actions.

Without going into too much detail I could have told the BBC last year things like this could be possible with cheapo IP cameras anyone been interested, and this discovery came only from faffing about with my own IP cameras.

Edited by Pipexer (Thu 15-Aug-13 00:13:15)

In reply to a post by Pipexer:

As for users who have had their cameras hacked because they have not changed the username and password, well they deserve what they get.

They might deserve a little comedic "Hallo!" down the lines, but not to the kid. That's not very funny. I suppose though, if there's no real harm done, and it gets parents thinking about web security (specifically keeping their kids away from the net when not being supervised).

More disturbing to me was the name of the girl being picked up in the first case, and the entry of the parent being seen in the second.

If the hacker keeps quiet, we are left with the possibility of paedophilic voyeurism, with onward circulation.

I do not think typical parents should be expected to realise an internet babycam needs security setting up. Even if changing the username and password from the default is recommended in the instructions.

They'll be pleased enough with themselves at getting it working at all, and how secure a username and password are they going to dream up?

In reply to a post by RobertoS:

and how secure a username and password are they going to dream up?

Even before the web (for me that was 1997/8 ish), I used relatively secure passwords. Always believed there was a chance of the worst. Not that there was anything worse than a CV or an embarrassing diary entry or two.

Likewise. But neither of us is typical of today's babycam buyer.

A couple of the manufacturers appear to have implemented security patches, so better safeguards are possible.

I did have a webcam for a while when chatting online to my Dad. I always made a point of pointing it to the desk when not in use. Apart from anything else, I wasn't the only user of the PC.

I think people will be well aware that a webcam attached to their computer will be just as vulnerable as the computer itself. My point is I have grave doubts as to whether the same association is made in the minds of most parents setting up a babycam for them to monitor the well-being of their child.

At the time of purchase and installation they have different motives and thoughts.

As a point of interest, I have no idea of the status of the camera facing me from the top of my screen right now. Hmmm .

In reply to a post by RobertoS:

As a point of interest, I have no idea of the status of the camera facing me from the top of my screen right now. Hmmm .

A bit of sticky tape will immediately solve that problem

As could a few others by closing the lid first and using the tape to stop it being opened .

The security hole for this type of Foscam camera that allows the so-called 'hackers' to gain access was patched back in April 2013.

It's on the Foscam website. it's on their blog. They even send out the notification as part of their mailing list.

So whoses fault for not updating the firmware?

The article I linked to does say about the April emergency patch . It also mentions a further update in June.

The vast majority do not read blogs about a simple gadget they have installed, not do they ever again go to the manufacturer's website. Even if they went there in the first place. Did you read the article? "Visitors to the firm's homepage do not see any notice of the critical upgrade."

I accept your point about they should have had an email. However there is no mention of Foscam having sent such an email except to people who have signed up to a firmware update newsletter. Only one retailer.

How likely is it that "It won't happen to us" will apply? I doubt if either email mentioned the database scraping used to trawl for potential targets.

Non-techie gadget buyers expect PnP and forget about it as long as it works.