This feature essentially allows every camera to update its IP address to point to a host-
name of xx####.myfoscam.org (valid hostnames were found to be between aa0000 and
ep9310). This allows users to log in to their camera using a web browser on a device outside of
their home without having to remember their numeric IP address. All the user has to do is
remember the hostname associated with the myfoscam.org Dynamic DNS service.
The Foscam devices use the User Datagram Protocol (UDP) to update their hostname
mappings by sending a UDP packet to a server owned by Foscam. The UDP packet contains
the username and password associated with the device, which are both the hostname. The
“Exploiting Foscam IP Cameras” paper illustrates how an attacker can be abuse this knowl-
edge to invoke phishing attacks:
1.The attacker queries ns1.myfoscam.org to get and store the current IP address of a partic-
ular device with a hostname within the known good range of aa0000 and ep9310. For the
sake of our argument, assume the target is aa0000.
2.The attacker sends a UDP datagram to Foscam with a username and password of aa0000.
3.The Foscam service updates its Dynamic DNS records to point aa0000 to the source IP
address of the attacker.
4.The attacker runs a web server on that IP address that looks identical to that of the
Foscam interface.
5.The attacker waits for the owner of the device to browse to aa0000.myfoscam.org, which
will now connect to the attacker’s web interface rather than the interface for the actual
device owned by the victim.
6.The victim supplies her credentials, which the attacker captures.
7.The attacker then displays an “Invalid username or password” message, causing the vic-
tim to assume she has mistyped the credentials.
8.At this point, the attacker can send a spoofed UDP datagram to the Foscam Dynamic
DNS service with the original IP address of the attacker (captured in step 1). Now, when
the victim visits aa0000.myfoscam.org again, she will be directed to her actual Foscam
device instead of the attacker’s web server. In this way, the attacker will retain the victim’s
credentials and the victim will have little reason to suspect those credentials have been
compromised. The attacker can now connect to the victim’s device directly and reuse the
captured credentials to log in and control the device.In the case of Mark Gilbert, it is unclear exactly what method the attacker used. However,
it is a reasonable hypothesis to assume that the attacker leveraged a combination of the techni-
ques and vulnerabilities discussed so far.
CHAPTER 3: ASSAULTING THE RADIO NURSE—BREACHING BABY MONITORS AND(^66) ONE OTHER THING