Locking down your Foscam so hackers can’t spy on your baby

Foscam Control Screen

I wrote a bit about the people who broke into a badly-secured Foscam webcam and started screaming at a sleeping kid, I figured I’d write about what went wrong and how to fix it as the camera and company isn’t inherently bad, it’s just a matter of releasing a spy camera with very few safeguards into the wild.

The first thing to understand is it was not the hardware’s fault, it was a non-technical person setting up a very potentially explosive piece of technology using software that was written by people with a basic lack of understanding of security.

The short and sweet of it is the password lengths were far to short and the camera advertised to the internet where it was. The admin password for viewing these things also defaults to blank, meaning admin with no password will get you into these.

Fixing your Foscam step 1: update the firmware

We’ll get the hardest part out of the way first as you’ve got to be on a more current firmware to secure the thing better.

You’re going to need to move the Foscam you’ve got into a room with your computer in it as you’re not supposed to trust the wireless to handle the firmware updates. Assuming you have a computer, attach the camera to the same router that your computer is connected to. For the non technical, locate something that’s blinking and plugged into your computer, that’s probably it.

Using the IP Camera Tool that came with the camera, locate the IP address and system firmware version. You can do this by right clicking on the only thing that should be displaying in the IP camera tool.

Next, go to foscam.us. You’ll need to locate the model of your webcam, they’ll require an email address to send the info to, then you’ll have to click something that says you got the email, and then you’ll finally be given a download location. They do this so they get your email address and can spam you later.

Unzip the contents of the file you’ve downloaded somewhere you can find them easily. You’ll update the system firmware first, then the Web UI version. During each of these updates the camera will have to reboot, so you’re looking at a couple of minutes to update the firmware after you’ve given them your email address and got the mail.

Actions to take via the web interface follow

Chances are if you have one of these cameras, you know how to access the web interface. That would be the ip address you use to view the camera with the password you selected for administrator. It’s the section called Device Management on the bottom left.

Set a strong administrator password

This is a password that lets people view and talk to your baby. Using drawssap just means you’re an idiot when it comes to security. Make sure the administrator password is a good one. You can even write it on a post-it note and stick it to the back of the webcam if you want.

Don’t give out administrator accounts

You have visitor, operator, and administrator. Visitors can see, operators can move the camera around, and administrators can do great evil.

Disable DDNS

DDNS allows you to use an address like cd99431.myfoscam.org as your webcam address on the internet. A hacker with a little time on their hand can go through the cdxxxxx.myfoscam.org addresses and find the ones that are active and live without too much trouble.

If your IP address changes on a regular basis, which is not the case on most major ISPs now, I’d advise going with a third party DDNS service if you need to access the webcam from outside all the time.

Other

Don’t use MSN Settings. Seriously. What is that for like a panda cam?

Use a non-standard HTTP port

While it isn’t hard to find a camera on a different port than 80, it’s more work than an automated script is likely to do. Change it to a higher number such as your child’s birthdate or your phone number’s first 4 digits or something.

Use a VPN rather than port forwarding

You can set up a VPN in your house just as easily as you can set one up at work. That way you don’t even have to worry about random port scans managing to find your security camera in the first place. You’ve got the thing locked down.

The webcam has a log, use it

Assume for a second you come into a room and hear the webcam screaming at you or your child. Well, you’ve failed as a security pro, but there’s no reason you can’t win as a forensics analyst.

In the settings menu there’s a log. Copy the contents of that and you’ll have the IP address of the people who broke into your webcam and the user account they used to do it with.

Even if you haven’t had people advertising they broke in, the log will show you if anyone has been snooping around.

Where can I get one of these wonderful toys?

Since that story broke about the webcam break ins, the price has dropped significantly. Woot had them on sale last week, and Amazon now has them for $77.95. They’re marvelous little 640*480 nightvision pan and tilt cameras.

They’re just not particularly great if you’re not fluent in IT.