FIGURE 3-3. Shodan query to locate Foscam devices on the Internet
Exploiting Default Credentials
Foscam devices were known to be assigned the default username of “admin” and a blank
password, which most users are likely to leave as is (unless the setup process demands the
selection of a stronger password, which wasn’t the case in the vulnerable versions of Foscam
devices). A simple Shodan query illustrates the sheer magnitude of the number of individuals
and organizations who are unaware that their privacy can be so easily violated.
In August 2013, Foscam released an upgrade that prompted users to change the default
blank password and gave them the ability to choose a username other than “admin”. How-
ever, as shown in Figure 3-4, users have to manually locate the software update and then apply
it using the web interface. It is easy to imagine that most owners of Foscam devices weren’t
aware of the availability of the security update.
In an age when users are accustomed to mobile and desktop devices that implement
autoupdate features, it is also easy to imagine that people who were made aware of the update
were unlikely to apply it, given that it involved the traditional process of downloading a file to
manually upgrade their devices. This was confirmed in the previously referenced “Exploiting
Foscam IP Cameras” research paper, in which the researchers concluded, “We found exactly
zero cameras in the wild which run the latest firmware offered by Foscam. This could indicate
end users who know to patch also know better than to hook up an IP camera to the Internet,
or it could indicate that no one patches their cameras.”
CHAPTER 3: ASSAULTING THE RADIO NURSE—BREACHING BABY MONITORS AND(^64) ONE OTHER THING