For what itās worth, Team BBC says that the camera involved was a Foscam product. Looking at their product lineup strongly suggests that this was an IP cam, presumably hit through some horrifyingly trivial failure of implementation, rather than one of the old-school 900MHz or 2.4GHz analog video blaster systems (which are even worse; but at least only accessible within RF range, rather than anywhere).
Unfortunately, the security of embedded computers is generally pretty appalling, and āsecurityā cameras have the handy feature of being pointed at things people valueā¦
Geez, poor kid!
This reminds me of a story in Ghost in the Wire when Kevin Mitnick and his high school buddies hacked into the drive-through intercom at McDonaldās and hurled abuse at drivers just trying to place their ordersā¦
Oh good, I have that IP cam. Unless the parents in the story failed to secure it with a password (or something equally basic), I suppose Iām at risk as well. Time to check that firmware versionā¦
EDIT: and yeah, the latest firmware includes:
- Enhance security to prompt user change the default blank login password
- Fix several vulnerabilities to improve security
I imagine most parents who buy such a device would have no idea what āfirmwareā is.
It doesnāt seem to me the camera should have to be secure any more than a diamond ring should prevent itself from being stolen. The person using the camera should be responsible for securing it same as theyāre responsible for securing their jewelery. All an IP camera does is run a webserver for you to download/control the camera. Itās up to you put make sure itās not accessible from outside your local network.
If it somehow punched a hole through your router/firewall maybe that would be cause to hold the company responsible. Otherwise no.
BTW: As an aside, every app you download to your phone/tablet can potentially see everything on every network you connect it to. Iād suggest running OpenWRT or some other router that lets you run multiple wireless networks. Put your phone / tablet on one network and your PC on another (not without its headaches butā¦)
I like that this post is just downstream from Coryās review of the minimalist parenting book. If I felt the need to take an occasional peek in on my kids, I think Iād use the wired network that connects my eyes to my visual cortex.
Of course, one of the most useful things about an IP cam is being able to access it over the internet. Thatās problematic if oneās really using it as a ābaby monitorā, I suppose (Iām not), but in any case any device exposed to the internet needs to be secured and regularly updated.
If I werenāt lazy, Iād probably set up a home VPN rather than just punching a hole in the firewall; but it really would be nice to know more about the attack vector used in this case.
Fairly reliable the olā eye sockets are, and they require minimal configuration.
Sorry Iām going to get geeky here but ā¦
SSH is your friend. (or VPN). You put the camera on your local net and donāt make it accessible from the internet directly. You setup an SSH server. Some routers can do this otherwise you need a PC always running Win/OSX/Linux. You set up dynamic dns. Most routers can do this. You then SSH tunnel into your local network to the IP camera. Too much to go into here. Maybe someone should ask this question on a stackexchange site?
Clearly thereās a market for a less geeky solution (although as a geek I have a problem trusting non-open source networking stuff).
The weakness in the camera allows you to just hit a URL and get the mjpeg feed. No authorisation required! There is some more info here: http://atenlabs.com/blog/get-your-creep-on/ and a real life implementation at http://www.atenlabs.com/camwar/.
This is a variation on the āpeople leaving random crap open on the internetā thing.
It is an IP Foscam, I have the same. The easiest software solutions for the camera were horribly insecure. I was able to put something together that was more secure, but the thing crapped out after 3 months, so itās no longer an issue.
Just replied as new topic (over to the top right of original comment), if you want to carry on the discussion.
Am I going to hell if I thought this was funny?
Our old analogue baby monitor was picking up crying babies elsewhere along the street at one point. It occured to me that you could write a great horror story around that with disturbed people spying on their neighbours kids bedrooms.
Here is a tragifarce with an angry and ignorant baby-monitor user facing off against a frustrated HAM radio enthusiast who wants their cheap, nasty, RF-spewing garbage off his licensed bandā¦
No apparent malice on the eavesdropperās part; but apparently the quality control on cheap baby monitors isā¦not everything it might beā¦
at least most parents are aware their babies beeing very āwetwareā.
I prefer to think that itās picking up the ghosts of murdered babies.
I think thatās a bug in a different model of camera.
The Foscam hack is based on a directory traversal bug (see here) which dumps the system memory, then you can extract the username/password from the dump.
Someone needs to tell this guy about āthe Internetā. I seriously do not get HAM radio enthusiasts post 2003 or so.
