The Foscam Saga Continues
The Gilbert incident occurred in August 2013. In April 2014, another such incident occurred
in the home of Heather Schreck. Around midnight, Heather was startled by a man’s voice in
her daughter Emma’s bedroom. Heather noticed the baby monitor camera move and heard a
voice saying “Wake up, baby, wake up, baby” emit from the device. Heather’s husband Adam
ran into Emma’s room, saw the camera turn toward him, and heard obscenities targeted at
him. Adam then unplugged the camera. Yes, this was also a Foscam camera.
This is yet another example of how vulnerabilities in IoT devices such as baby monitors
can persist, especially if the device manufacturer does not implement a seamless method to
push security patches to existing devices. As discussed earlier, the manual procedure required
to update Foscam devices pretty much guarantees most people are unlikely to do so: few will
make the effort to find and apply security patches. Given the hundreds of thousands of
Foscam devices that can be found on the Internet with a simple Shodan query, incidents such
as those targeting the Gilbert and Schreck families are likely to recur.
In January 2014, just a little before the Schreck incident, a user publicly posted a severe
authentication bypass vulnerability on Foscam’s public discussion forum (shown in
Figure 3-5).
According to the forum post, it is possible to completely bypass authentication by leaving
both the username and password fields blank. In response, Foscam released a patch that
resolved the issue, but the manual steps outlined to apply the patch were the same as those
shown in Figure 3-4. Yet again, requiring such a cumbersome and manual process makes it
extremely unlikely that Foscam devices accessible on the Internet have this patch applied.
It is unknown exactly which of the Foscam attacks were exploited in the Gilbert and
Schreck incidents, but this authentication bypass issue is one of the easiest to abuse, so it is
quite likely that it has been leveraged to invade the privacy of some Foscam users, given the
number of devices that can be queried using Shodan.
THE FOSCAM INCIDENT 67