Eavesdropping by the Foscam Security Camera

Brian Krebs has a really weird story about the built-in eavesdropping by the Chinese-made Foscam security camera:

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn't actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

Posted on February 24, 2016 at 12:05 PM • 29 Comments

Comments

keinerFebruary 24, 2016 12:39 PM

How can this device "perforate firewalls"? PnP enabled?

Normally: Give it a static IP, set up a block rule for this IP (allow LAN and VPN network). Done....

BillFebruary 24, 2016 1:06 PM

@keiner: That's what Krebs meant by "serious networking expertise". Most users of these devices do not understand how to do that. They plug it in, they can surf the web, they're happy.

DanielFebruary 24, 2016 1:08 PM

I find it difficult to feel sorry for anyone who uses a networked refrigerator, oven, and whatnot. You don't need all that crap, you just think you do. I don't see how it's fair to complain about company X violating one's privacy when buying an IoT device in the first place declares you don't give a damn about privacy. Rather than trying to fix things to be private we should all take a step back and simply be private.

Paul DavisFebruary 24, 2016 1:09 PM

I can verify this behaviour. I purchased two Foscam cameras after being burgled just after Christmas, and installed them both. They have had a good reputation. The indoor camera was one of the new models which configures itself by scanning a QR code on its base with a phone app. The outdoor more conventional. I followed all instructions carefully, resetting passwords from the default and selecting the maximum privacy options. Within a few days we blew our broadband data limit and I traced it back to the indoor camera uploading roughly 20Gb per day. There was no option to turn this off. I factory reset the camera and did not use the auto-config app this time, but the uploading continued. I had a chat with a very savvy network engineer friend who did some remote testing, verified that my router firewall was operating in a secure configuration, and we deduced that the camera was 'calling out' to a server through my firewall.

He suggested, and this worked, using the camera network configuration to set a static IP rather than DHCP, and give it a non-allocated IP number within the LAN subnet for its gateway address.

I also now leave the camera unplugged when it is not being used.

ianfFebruary 24, 2016 2:58 PM


@ Daniel,
feeling sorry or not for IoT won't be an option, when the economies of manufacturing scale dictate that only such (equipped with, not necessary enabled) devices are available for purchase, and old vintage pre-IoT ones have all been bought up by once repairmen of them and other true aficionados who can appreciate the quality & cherish their lack of connectedness at the same time.

We've discussed this topic quite recently; here some samples from two threads…

https://www.schneier.com/blog/archives/2016/01/the_internet_of.html#c6716504

https://www.schneier.com/blog/archives/2016/02/the_internet_of_1.html#c6716477

https://www.schneier.com/blog/archives/2016/02/the_internet_of_1.html#c6716526

AnonFebruary 24, 2016 3:09 PM

No mention if this is in the EULA. Would be far more interesting if it did this, and it was NOT mentioned.

Paul Davis: 20 Gb/day? Did you think about running packet sniffer software and seeing WHAT it was sending that used 20 Gb/day? That seems like it is live streaming everything the camera sees!

AaronFebruary 24, 2016 3:19 PM

@Paul Davis - I have 2 Foscam cameras, have not seen this behavior on either one. Could you share the model # & fw version?

Ray DillingerFebruary 24, 2016 3:33 PM

I keep telling them, it isn't the "Internet of Things."

It's the "Internet of Targets."

And if it's a snoopy device (which almost all of them are) it's just a much much bigger target.

A crook who watches the video from your Foscam, of course, knows whether you've got things worth stealing and when you're not home. Fill in the god damned blanks about whether this is a good idea.

MikeFebruary 24, 2016 5:13 PM

Given the volume of traffic some folks are seeing, I'm going to hazard a guess that these manufacturers are basically using this P2P network as a means to distribute their firmware updates using their customer's own network capacity. There's no other need for a network home punching (STUN/TURN) just for automatic updates.

JG4February 24, 2016 6:33 PM


I tried to warn them, but they just laughed at me

one of the spooks is very fond of Meraki networking gear and was able to use his to ringfence a Nest spy device and some other offending gear

his refrigerator was talking to the smart meter, but stopped when he changed the appropriate menu option

I've been too lazy and dysfunctional to post a power supply isolation circuit, but the general configuration is pretty obvious

Camera-OnFebruary 24, 2016 6:34 PM

All five brands of IP cams from China call home by default, or try. You need to assign a static IP as noted. Also carefully go through setting and disable anything looking like P2P, "Free" Cloud connectivity, free DNS etc. I also go into the router and use the "Block Services" feature to close ALL ports to the cameras.

I then use an IP camera software to provide server services. Even then one of my cameras, not a FOSCAM, is trying to connect to China 24/7, but is being blocked at the router.

It's safe to assume all IP cameras are calling home, and likely broadcasting to the entire world on default settings.

Some GuyFebruary 24, 2016 11:03 PM

Seems there's a real profit opportunity here for someone to make a simple, no-frills IP web cam with fully-open source firmware. Plain old HTTP stream of JPEG captures or whatever, patent-unencumbered etc. OK, add some authentication of course, but make it clear it's not phoning home somewhere else, or using any proprietary protocols.

Lots of SPI/I2C dumb camera modules out there I'm sure.. pair them up with one of those ESP8266 wifi modules or whatever they're called and stick 'em in a box. Put it on a Kickstarter for $80 or so and anyone who's concerned about this stuff would buy a few.

LeeFebruary 25, 2016 12:08 AM

Guess what next, the camera and your firewall (both made by China) have establish communication, so it would harden it self, so that you will never notice being filmed 24 hrs and monitored by CCP.

WinterFebruary 25, 2016 3:45 AM

Daniel
"I find it difficult to feel sorry for anyone who uses a networked refrigerator, oven, and whatnot. You don't need all that crap, you just think you do."

Catering and restaurant chains do need networked refrigerators, and the food-processing industry in general. Not only for what is still in store (just-in-time-delivery), but also what is still not gone stale, and how does the temperature behave.

And for consumers we are going from owning appliances to renting services. From owning heating and airco systems and lamps to getting the climate and lightening delivered to our apartments.

All such systems need to be networked.

JulesFebruary 25, 2016 4:06 AM

I take the same precautions as others - everything on the network has a fixed IP, and I have a range for devices that should not have outgoing connections, which are blocked and logged at the firewall. The DHCP allocated range of IP addresses has very limited access to the network/internet, and I have a script that emails me when a new device appears on the network - some devices can have a number of MAC addresses.

I have an old Foscam camera, a new TRENDnet one and an old EasyN one, none of which appear to want to make outgoing connections, but none of them have any P2P options. They send notification email to an internal mail server which forwards it on.

@Some Guy: what about a Raspberry PI with the camera module? Add a couple of stepper motors and you could make a Pan and Tilt version!

ChristineFebruary 25, 2016 6:08 AM

@Some Guy: Lots of options for turning a Raspberry Pi into a web cam or security camera.

https://github.com/ccrisan/motioneyeos/wiki

https://github.com/ccrisan/motionPie/releases

http://jacobsalmela.com/raspberry-pi-webcam-using-mjpg-streamer-over-internet/

The good news is the code is open source and if you don't like how something works, you can recomplie the code to change it. The packages are very customizable and it's easy to configure one for your needs. Plus you don't have to worry about back doors.

The bad news is the Raspberry Pi is a hobby device, and does not include features common to security cameras such as Power Over Ethernet, a good weatherproof housing, or an IR illuminator. Adding these accessories drives the cost up rapidly.

Snarki, child of LokiFebruary 25, 2016 6:15 AM

And what is being done with the video, when it gets to its destination?

Piped to /dev/null? Or archived on a subscription-only web site?

This might well be "Rule 34" territory.

ChristopherFebruary 25, 2016 1:38 PM

"Catering and restaurant chains do need networked refrigerators, and the food-processing industry in general. Not only for what is still in store (just-in-time-delivery), but also what is still not gone stale, and how does the temperature behave."

This is no substitute for inventory control, and if you already practice poor inventory control, you now have a security vulnerability to manage along with the invoices and receipts. So no, they don't need it. At all. need > want or "might like"

Anon Y. MouseFebruary 25, 2016 7:22 PM

@Winter

"Catering and restaurant chains do need networked refrigerators, and the food-processing industry in general. Not only for what is still in store (just-in-time-delivery), but also what is still not gone stale, and how does the temperature behave."

[...]

All such systems need to be networked."

No. No they do not.

The food service/processing industry has operated for hundreds of years
without the "benefit" of Internet-connected refridgerators. Networked
appliances may cut costs, raise efficiency, and be easier -- at the risk
of being compromised. It brings us directly to the fundamental trade-off
that must be made: convenience vs. security.

There is an expression: "it's all fun and games until someone gets their
eye poked out." Or in this case, it's all lower costs and efficiency, until
someone hacks your networks, commandeers your devices, ruins your inventory,
and screws around with your purchase orders.

FoscamedFebruary 25, 2016 10:44 PM

I have 6 foscam cameras and about a month ago i started to notice weird connections to old ports i had open for one of the cams.

In my case i used wan port 777 for one of the foscams. Some time later i changed the cams to another ports and used 777 for other services. That was when i started to see the attempts from Chinese ips to try to login.

KathyAugust 26, 2016 10:39 PM

Sure does upload 20 gb of data you idiots. It's called the video streaming. Make sure you vote for Trump. He loves people who put their mouths in gear before letting their brain turn over

TomAugust 27, 2016 6:24 AM

We understand that information is critical to success, which is why we are singularly focused on the development of video surveillance and security solutions that provide you the information necessary to make real-time, business-enabling decisions.
From the recently introduced Video expert video management platform to our industry-leading selection of IP cameras and accessories, We are committed to designing and delivering a broad range of high-quality, IP video security products and systems complemented with an unparalleled level of customer support and services.

.. read more

Manuel M.October 5, 2016 12:06 PM

Its true that anyone likes our images goes through Internet without any permisons. But in any case user can activate or desactivate to send these images.

User can allow or disable P2P on Foscam configuration, so if prefeer can use IP/DDNS configuration to access remotly

EricJanuary 17, 2017 12:04 AM

This weekend I bought a Foscam C2. On the camera I disabled P2P, DDNS etc.

I was completely suprised that the app on my iPhone was able to access the camera from the WAN, since on my router no port forwarding was enabled. I started some research with wire shark on the router. The camera was connected with 9 different IP addresses, both TCP and UDP.

In the Netherlands at every website we have to click away the cookie warnings, but a camera can send stuff without any warning or acceptance of the user........ For me this is not acceptable.
On the Foscam website I can not found any background information on this, for example which information is send?

Very scary.........

Dirk PraetJanuary 17, 2017 4:11 AM

@ Eric

The camera was connected with 9 different IP addresses, both TCP and UDP.

Try wiresharking Skype some time. You won't believe what you see.

ChrisNJanuary 17, 2017 9:29 AM

@Eric
The camera was connected with 9 different IP addresses, both TCP and UDP.

Fabulous. Sounds like Foscam is another bulls--t company to avoid.

maigiast@trashinbox.netApril 4, 2017 7:20 PM

I was just about to purchase more cameras when I found your site. Glad I found this site and information. Thanks! I will definitely NOT be purchasing any more Foscam cameras. Here's the info on the ip's and ports my Foscam is communicating on. Tsk, tsk, shame on you Foscam!

Foscam FI9805P TCP Ports

Foscam FI9805P TCP Ports

46.137.188.54 80 Amazon Data Services Ireland Ltd
50.19.254.134 443 Amazon
61.188.37.216 8000 China Telecom SiChuan Telecom Internet Data Center
74.125.31.99 80 Google

maigiastApril 12, 2017 10:09 PM

Also, I wanted to update my last post. I also checked my Iphone while using the Foscam App to access my cameras. It was also contacting multiple IP's while I was accessing my cameras. Also just to clarify for some people... Just having your camera with ONLY a fixed/static IP does NOT keep it from communicating with these dodgy foreign based servers. As a few other people have mentioned you need to block either the IP's or the ports that these outbound connections are using. I recommend blocking the IP's as an easier solution. Or if you don't want to access the cameras remotely you can use MAC filtering to block all outbound connections. It's aggravating to have to do stuff like this for my cameras and the systems I work on. But I feel responsible to protect my customers privacy as well as my own. I will be looking for alternative cameras for future installs from now on. Thanks again for the heads up on these "dirty" Foscams!

Foscam App
103.235.46.39 Hong Kong
120.132.176.173 China Telecom
14.17.97.45 China Telecom Guangdong
184.50.253.113 Akamai
173.194.219.109 Google

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.