Eavesdropping by the Foscam Security Camera

Brian Krebs has a really weird story about the built-in eavesdropping by the Chinese-made Foscam security camera:

Imagine buying an internet-enabled surveillance camera, network attached storage device, or home automation gizmo, only to find that it secretly and constantly phones home to a vast peer-to-peer (P2P) network run by the Chinese manufacturer of the hardware. Now imagine that the geek gear you bought doesn’t actually let you block this P2P communication without some serious networking expertise or hardware surgery that few users would attempt.

Posted on February 24, 2016 at 12:05 PM31 Comments

Comments

keiner February 24, 2016 12:39 PM

How can this device “perforate firewalls”? PnP enabled?

Normally: Give it a static IP, set up a block rule for this IP (allow LAN and VPN network). Done….

Bill February 24, 2016 1:06 PM

@keiner: That’s what Krebs meant by “serious networking expertise”. Most users of these devices do not understand how to do that. They plug it in, they can surf the web, they’re happy.

Daniel February 24, 2016 1:08 PM

I find it difficult to feel sorry for anyone who uses a networked refrigerator, oven, and whatnot. You don’t need all that crap, you just think you do. I don’t see how it’s fair to complain about company X violating one’s privacy when buying an IoT device in the first place declares you don’t give a damn about privacy. Rather than trying to fix things to be private we should all take a step back and simply be private.

Paul Davis February 24, 2016 1:09 PM

I can verify this behaviour. I purchased two Foscam cameras after being burgled just after Christmas, and installed them both. They have had a good reputation. The indoor camera was one of the new models which configures itself by scanning a QR code on its base with a phone app. The outdoor more conventional. I followed all instructions carefully, resetting passwords from the default and selecting the maximum privacy options. Within a few days we blew our broadband data limit and I traced it back to the indoor camera uploading roughly 20Gb per day. There was no option to turn this off. I factory reset the camera and did not use the auto-config app this time, but the uploading continued. I had a chat with a very savvy network engineer friend who did some remote testing, verified that my router firewall was operating in a secure configuration, and we deduced that the camera was ‘calling out’ to a server through my firewall.

He suggested, and this worked, using the camera network configuration to set a static IP rather than DHCP, and give it a non-allocated IP number within the LAN subnet for its gateway address.

I also now leave the camera unplugged when it is not being used.

ianf February 24, 2016 2:58 PM

@ Daniel,
feeling sorry or not for IoT won’t be an option, when the economies of manufacturing scale dictate that only such (equipped with, not necessary enabled) devices are available for purchase, and old vintage pre-IoT ones have all been bought up by once repairmen of them and other true aficionados who can appreciate the quality & cherish their lack of connectedness at the same time.

We’ve discussed this topic quite recently; here some samples from two threads…

https://www.schneier.com/blog/archives/2016/01/the_internet_of.html#c6716504

https://www.schneier.com/blog/archives/2016/02/the_internet_of_1.html#c6716477

https://www.schneier.com/blog/archives/2016/02/the_internet_of_1.html#c6716526

Anon February 24, 2016 3:09 PM

No mention if this is in the EULA. Would be far more interesting if it did this, and it was NOT mentioned.

Paul Davis: 20 Gb/day? Did you think about running packet sniffer software and seeing WHAT it was sending that used 20 Gb/day? That seems like it is live streaming everything the camera sees!

Aaron February 24, 2016 3:19 PM

@Paul Davis – I have 2 Foscam cameras, have not seen this behavior on either one. Could you share the model # & fw version?

Ray Dillinger February 24, 2016 3:33 PM

I keep telling them, it isn’t the “Internet of Things.”

It’s the “Internet of Targets.”

And if it’s a snoopy device (which almost all of them are) it’s just a much much bigger target.

A crook who watches the video from your Foscam, of course, knows whether you’ve got things worth stealing and when you’re not home. Fill in the god damned blanks about whether this is a good idea.

Mike February 24, 2016 5:13 PM

Given the volume of traffic some folks are seeing, I’m going to hazard a guess that these manufacturers are basically using this P2P network as a means to distribute their firmware updates using their customer’s own network capacity. There’s no other need for a network home punching (STUN/TURN) just for automatic updates.

JG4 February 24, 2016 6:33 PM

I tried to warn them, but they just laughed at me

one of the spooks is very fond of Meraki networking gear and was able to use his to ringfence a Nest spy device and some other offending gear

his refrigerator was talking to the smart meter, but stopped when he changed the appropriate menu option

I’ve been too lazy and dysfunctional to post a power supply isolation circuit, but the general configuration is pretty obvious

Camera-On February 24, 2016 6:34 PM

All five brands of IP cams from China call home by default, or try. You need to assign a static IP as noted. Also carefully go through setting and disable anything looking like P2P, “Free” Cloud connectivity, free DNS etc. I also go into the router and use the “Block Services” feature to close ALL ports to the cameras.

I then use an IP camera software to provide server services. Even then one of my cameras, not a FOSCAM, is trying to connect to China 24/7, but is being blocked at the router.

It’s safe to assume all IP cameras are calling home, and likely broadcasting to the entire world on default settings.

Some Guy February 24, 2016 11:03 PM

Seems there’s a real profit opportunity here for someone to make a simple, no-frills IP web cam with fully-open source firmware. Plain old HTTP stream of JPEG captures or whatever, patent-unencumbered etc. OK, add some authentication of course, but make it clear it’s not phoning home somewhere else, or using any proprietary protocols.

Lots of SPI/I2C dumb camera modules out there I’m sure.. pair them up with one of those ESP8266 wifi modules or whatever they’re called and stick ’em in a box. Put it on a Kickstarter for $80 or so and anyone who’s concerned about this stuff would buy a few.

Lee February 25, 2016 12:08 AM

Guess what next, the camera and your firewall (both made by China) have establish communication, so it would harden it self, so that you will never notice being filmed 24 hrs and monitored by CCP.

Winter February 25, 2016 3:45 AM

Daniel
“I find it difficult to feel sorry for anyone who uses a networked refrigerator, oven, and whatnot. You don’t need all that crap, you just think you do.”

Catering and restaurant chains do need networked refrigerators, and the food-processing industry in general. Not only for what is still in store (just-in-time-delivery), but also what is still not gone stale, and how does the temperature behave.

And for consumers we are going from owning appliances to renting services. From owning heating and airco systems and lamps to getting the climate and lightening delivered to our apartments.

All such systems need to be networked.

Jules February 25, 2016 4:06 AM

I take the same precautions as others – everything on the network has a fixed IP, and I have a range for devices that should not have outgoing connections, which are blocked and logged at the firewall. The DHCP allocated range of IP addresses has very limited access to the network/internet, and I have a script that emails me when a new device appears on the network – some devices can have a number of MAC addresses.

I have an old Foscam camera, a new TRENDnet one and an old EasyN one, none of which appear to want to make outgoing connections, but none of them have any P2P options. They send notification email to an internal mail server which forwards it on.

@Some Guy: what about a Raspberry PI with the camera module? Add a couple of stepper motors and you could make a Pan and Tilt version!

Christine February 25, 2016 6:08 AM

@Some Guy: Lots of options for turning a Raspberry Pi into a web cam or security camera.

https://github.com/ccrisan/motioneyeos/wiki

https://github.com/ccrisan/motionPie/releases

http://jacobsalmela.com/raspberry-pi-webcam-using-mjpg-streamer-over-internet/

The good news is the code is open source and if you don’t like how something works, you can recomplie the code to change it. The packages are very customizable and it’s easy to configure one for your needs. Plus you don’t have to worry about back doors.

The bad news is the Raspberry Pi is a hobby device, and does not include features common to security cameras such as Power Over Ethernet, a good weatherproof housing, or an IR illuminator. Adding these accessories drives the cost up rapidly.

Snarki, child of Loki February 25, 2016 6:15 AM

And what is being done with the video, when it gets to its destination?

Piped to /dev/null? Or archived on a subscription-only web site?

This might well be “Rule 34” territory.

Christopher February 25, 2016 1:38 PM

“Catering and restaurant chains do need networked refrigerators, and the food-processing industry in general. Not only for what is still in store (just-in-time-delivery), but also what is still not gone stale, and how does the temperature behave.”

This is no substitute for inventory control, and if you already practice poor inventory control, you now have a security vulnerability to manage along with the invoices and receipts. So no, they don’t need it. At all. need <> want or “might like”

Anon Y. Mouse February 25, 2016 7:22 PM

@Winter

“Catering and restaurant chains do need networked refrigerators, and the food-processing industry in general. Not only for what is still in store (just-in-time-delivery), but also what is still not gone stale, and how does the temperature behave.”

[…]

All such systems need to be networked.”

No. No they do not.

The food service/processing industry has operated for hundreds of years
without the “benefit” of Internet-connected refridgerators. Networked
appliances may cut costs, raise efficiency, and be easier — at the risk
of being compromised. It brings us directly to the fundamental trade-off
that must be made: convenience vs. security.

There is an expression: “it’s all fun and games until someone gets their
eye poked out.” Or in this case, it’s all lower costs and efficiency, until
someone hacks your networks, commandeers your devices, ruins your inventory,
and screws around with your purchase orders.

Foscamed February 25, 2016 10:44 PM

I have 6 foscam cameras and about a month ago i started to notice weird connections to old ports i had open for one of the cams.

In my case i used wan port 777 for one of the foscams. Some time later i changed the cams to another ports and used 777 for other services. That was when i started to see the attempts from Chinese ips to try to login.

Kathy August 26, 2016 10:39 PM

Sure does upload 20 gb of data you idiots. It’s called the video streaming. Make sure you vote for Trump. He loves people who put their mouths in gear before letting their brain turn over

Manuel M. October 5, 2016 12:06 PM

Its true that anyone likes our images goes through Internet without any permisons. But in any case user can activate or desactivate to send these images.

User can allow or disable P2P on Foscam configuration, so if prefeer can use IP/DDNS configuration to access remotly

Eric January 17, 2017 12:04 AM

This weekend I bought a Foscam C2. On the camera I disabled P2P, DDNS etc.

I was completely suprised that the app on my iPhone was able to access the camera from the WAN, since on my router no port forwarding was enabled. I started some research with wire shark on the router. The camera was connected with 9 different IP addresses, both TCP and UDP.

In the Netherlands at every website we have to click away the cookie warnings, but a camera can send stuff without any warning or acceptance of the user…….. For me this is not acceptable.
On the Foscam website I can not found any background information on this, for example which information is send?

Very scary………

Dirk Praet January 17, 2017 4:11 AM

@ Eric

The camera was connected with 9 different IP addresses, both TCP and UDP.

Try wiresharking Skype some time. You won’t believe what you see.

ChrisN January 17, 2017 9:29 AM

@Eric
The camera was connected with 9 different IP addresses, both TCP and UDP.

Fabulous. Sounds like Foscam is another bulls–t company to avoid.

maigiast@trashinbox.net April 4, 2017 7:20 PM

I was just about to purchase more cameras when I found your site. Glad I found this site and information. Thanks! I will definitely NOT be purchasing any more Foscam cameras. Here’s the info on the ip’s and ports my Foscam is communicating on. Tsk, tsk, shame on you Foscam!

Foscam FI9805P TCP Ports

Foscam FI9805P TCP Ports

46.137.188.54 80 Amazon Data Services Ireland Ltd
50.19.254.134 443 Amazon
61.188.37.216 8000 China Telecom SiChuan Telecom Internet Data Center
74.125.31.99 80 Google

maigiast April 12, 2017 10:09 PM

Also, I wanted to update my last post. I also checked my Iphone while using the Foscam App to access my cameras. It was also contacting multiple IP’s while I was accessing my cameras. Also just to clarify for some people… Just having your camera with ONLY a fixed/static IP does NOT keep it from communicating with these dodgy foreign based servers. As a few other people have mentioned you need to block either the IP’s or the ports that these outbound connections are using. I recommend blocking the IP’s as an easier solution. Or if you don’t want to access the cameras remotely you can use MAC filtering to block all outbound connections. It’s aggravating to have to do stuff like this for my cameras and the systems I work on. But I feel responsible to protect my customers privacy as well as my own. I will be looking for alternative cameras for future installs from now on. Thanks again for the heads up on these “dirty” Foscams!

Foscam App
103.235.46.39 Hong Kong
120.132.176.173 China Telecom
14.17.97.45 China Telecom Guangdong
184.50.253.113 Akamai
173.194.219.109 Google

Marcellus August 14, 2017 9:36 PM

I have an Foscam R2 camera. I can confirm that the camera is using a lot of network bandwith. It came to light because I have a 100GB data limit. Normally that is more than enough to browse, download, game and youtube… But now I have the R2 suddenly my data was all used. So, I switched off UPNP, and I enabled MAC filter on my router, which is an Huawei router by the way. The MAC filtering method used is “allow” known (entered) MAC’s, so the camera should not be able to send anything, right? But… this weekend I was not home and the data used OUTBOUND was 4GB’s. WTF? (sorry) How is this even possible? I am not sure how this is possible but I know this.. this cam stays without power from now on. Need my bandwith for myself. If there are people with tips or suggestions on how to tame this camera with hacked firmware or something I would really like to know.

Matt January 27, 2020 10:41 PM

Hi Im new to this and not very technical at all. But I am worried after reading some of these posts. I own & use a foscam FI9821W. I don’t think this has a P2P setting on it. About 2 or 3 years ago I came across a review about foscam. The guy claimed that he found a public site that was showing his camera. I went back looking for that review 2 days later to see if he had added the address to the sight where he saw this and his review was gone. Could that have been true? Is there a way for me to tell if my camera is transmitting to a public site? Like I said I am not technical at all so I would need very detailed info on what to do.

Papy Muzo June 15, 2021 1:08 PM

There are plenty of security cams on Amazon at bargain price, Looks they want to kill any competition. Every one of this cams will open a backdoor in your home LAN. I needed some support and I emailed them. One hour after I got an answer to my email containing two pics from my house taken with my camera! I believe it is mandatory to warn the user if the equipment connects to an outside server. No warning given. Everything happens in stealth mode. Here is one:

“https://www.amazon.com/dp/B08J158TVV?psc=1&ref=ppx_yo2_dt_b_product_details”

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.