Just got an email from Foscam re:Vulberabilities

[wayner]

Anyone else get this? (I have purchased cameras from the Foscam website in the past - I believe it is now called Armcrest). They say in the letter that these vulnerabilities do NOT affect Armcrest branded cameras. However, I don't think that is true as one of the vulnerabilities listed (INSECURE DEFAULT CREDENTIALS (CWE-255)) is non-random default password/username and some, or all, Armcrest cameras use admin/admin as the default username/password combo.

We wanted to reach out as soon as possible to inform you of recently discovered security vulnerabilities affecting "Foscam" branded cameras manufactured by China-based Shenzhen Foscam. Foscam US has been notified of 18 security vulnerabilities that exist on cameras manufactured by Shenzhen Foscam which leave users vulnerable to hacks which allow attackers to remotely take-over cameras, live stream, download stored files and even compromise other devices located on the local network. (Source: F-Secure Report available here).

The vulnerabilities affect "Foscam" branded cameras and cameras manufactured by China-based Shenzhen Foscam only. The vulnerabilities DO NOT affect Amcrest or FDT branded cameras which are produced by a separate factory and R&D team led by US-based Amcrest (formerly Foscam US and now Amcrest), which is totally unrelated to China-based Shenzhen Foscam.

Amcrest split off from China-based Shenzhen Foscam in 2015 / 2016 due to issues relating to distribution, lack of security and quality control and thus Amcrest and FDT cameras are totally unaffected by these latest security vulnerabilities.

The models affected include the following:
Foscam R2
Foscam C1
Foscam C1 Lite
Foscam C2
Foscam FI9800
Foscam FI9826P
Foscam FI9828P
Foscam FI9851P
Foscam FI9853EP
Foscam FI9901EP
Foscam FI9903P
Foscam FI9928P

 

[luder888]

Me too. Luckily I have been phasing out my old 8910s. I only have 3 now. I have been using a fake Gateway and DNS hopefully that's enough to prevent the cameras from accessing the web.

 

[wayner]

But I wonder how much risk you have if the cameras are not port forwarded to the internet and never have been?

 

[Caesium]

If your IPC aren't connected to the internet I'd suggest any risk is fairly low

 

[Mike.in.Minnesota]

(Correct any statements)

Foscam China-based Shenzhen has released firmware updated to address these issues.

A major issue in the report that Foscam.us is touting is the lack of a password when you first power up the cameras! Really! They require you to change the password, and, anyone who has a wifi device with no password is an idiot! Their cameras do the same stupid thing! OMG. lol

I also received the email from Foscam.US about their evil rival Foscam China-based Shenzhen.
I sent Foscam.Shenzhen an email asking them about this, and, there relationship with Foscam.us. There reply is included below.

It's not my intention to start a flame over this topic, and I refuse to defend my opinion. After all, it is exactly that, My Opinion.
It always amazes me how some people get enraged and insist others follow their beliefs... or else!!!! lol

I know that many seasoned Cam'ers absolutely detest Foscam. There a low-end product, and they have served my well. I've recently replaced my 18W MJPEG cams with 26P h264 960p wide angle 110d with 3x optical zoom cameras, and there are a world of difference. I bought 6 of them, and negotiated a lower price with the seller!

A little history....
Foscam.US had an agreement with Foscam.Shenzhen to be the offical and only US distributor of Foscam products made in China by Foscam.Shenzhen. That was years ago, and, well, time AND contracts run out! Foscam.Shenzhen started selling their products in the US competing with Foscam.US.. And the war over Foscam began.

Many of the claims brought by Foscam.us are plain untrue. Some are just plain false and ignorant, some are founded, but taking precautions keeps you safe. In any event, Foscam.Shenzhen addressed these issues in their recent firmware updates. So, the continual sending of these emails by Foscam.us (Foscrust.us), in my opinion, is harassment, and open to litigation - good luck Foscam.Shenzhen, since their international.

I've purchased exclusively from Foscam.Shenzhen over the years because I don't like how Foscam.US does business. This proves it. Personal preference.




Reply from Foscam.Shenzhen...
---------------------------------------------------------------------------------------------------

Re: [Ticket#2017061343000264] URGENT: China-Based Foscam Security Vulnerabilities Discovered - IMMEDIATE ACTION REQUIRED
Inbox
x

tech@foscam.com <tech@foscam.com>
Jun 13


Dear Mike,

Thank you for contacting Foscam Support!

With regard to the bugs mentioned in the F-secure reports, Foscam attributes great importance to it and arranged our Research and Development Department to analyze each of the items immediately.

We found out that some items mentioned in the report do not exist, and our cameras have to change the default password that avoids some mentioned case to happen. For the existing bugs, please be patient while we are developing the new firmware. We suggest you keep an eye on our website as we'll be releasing a new firmware for our top models within this week. Firmware for other models will also be released in the following days.

Some competitors have abused the report to exaggerate the situation and spread panic among our faithful user in order to take advantage. Each software may have what we do is we keep on improving the security of Foscam cameras. Foscam has always attributed great importance to our product security and we have a special department who are dedicated to improving our product security by having updated firmware in time.

Best Regards
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Your satisfaction is our goal. Any feedback will be highly valued.
If you are not satisfied, please e-mail feedback@foscam.com with your assessment or feedback.

Katherine dela Cruz Customer Service Representative

Shenzhen Foscam Intelligent Technology Co.,Ltd
Web: www.foscam.com Foscam Cloud: www.myfoscam.com
Email: tech@foscam.com Call us to get help below:
US: 1-844-344-1113 UK: 0808-2349402
CA: 1866-703-7167 AU: 1800-790-501
SG: 800-8523-721 MY: 1800-81-4282


06/13/2017 02:40 - Mike W wrote:
I have a FI9826P V2 with latest 2.30 firmware. I have another 5 cameras arriving tomorrow.

How do I protect myself from this vulnerability?

My network configuration...
- all are hard wired to IP cables to switches/router.
- Settings that are turned off: DDNS, UPnP, Mail, Ftp, P2P
- I access these cameras outside my local network via port forwarding.

Of cource, foscam.us would be making this quite known.
Apparently, they are sending this to anyone who has contacted them. I'm wondering also if they are sending it to all of there former Foscam purchasers.