IoT insecurity by example

Apexis is a known manufacturer of IP cameras. Other companies like Logilink, Foscam or Denver also sell branded IP cameras which are based on the same hardware design and firmware contents.

These IP cameras have some insecurity specialties:

  • UPNP is active by default for enabling port-forwarding of port 80 (HTTP).
    • This makes the camera directly reachable from the Internet if the router allows config changes by UPNP (which a lot of consumer routers do).
  • Each device has a unique DNS hostname like 'x1234.oipcam.com'. When connected to the Internet, it will automatically trigger a DDNS update for this hostname.
    • You can configure additional DDNS providers, but you can't disable 'oipcam.com'.
  • Weak default username / password for web access ('admin'/'admin' or 'admin'/'1234' or 'admin'/'').
  • Weak root user password '123456'. If you change the password, it will be reset on next boot.
  • No means of encrypted communication available (e.g. HTTPS, VPN, SSH).
  • Outdated software
    • Linux kernel 2.4.20-uc0 (compiled 2012)
    • DHCP Client Daemon v.1.3.22-pl4 (2003)
    • ifconfig 1.39 (1999-03-18)
    • route 1.96 (1999-01-01)
    • wpa_supplicant v0.4.7 (2005)
  • No firmware updates are provided by any vendor.

Repair manual from Foscam:
http://foscam-uk.com/download/FAQ/Repair/FI8918W%20repair%20guidance-.pdf

CGI documentation from Foscam:
http://www.produktinfo.conrad.com/datenblaetter/500000-524999/515898-an-01-en-CGIV121WLANLANFARBKAMERAINKL_IRCUT.pdf

... to be continued.