"The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password."
I understand that using this security hole to yell at a baby makes you a terrible person, but I'm also appalled at the company that made that situation possible for so many of its customers.
It takes a reasonably intelligent programmer to identify a security hole, and an entire team of foolish programmers to let one through. It's quite evident that this company only has the latter.
An internet routable camera in the house with a voice channel is the exact kind of thing that should have a two-plus factor authentication, strong tls capabilities, responds only to pre-approved IP address ranges, and any other paranoid security practice that you can come up with.
In fact any tin foil class practice in these situations is worthwhile.
On the other hand, new parents are probably really stressed out (being awoken in the middle of the night, etc.) so I wonder whether parents would be willing to put up with two-factor auth on such a camera.
Checking the camera is a reflex you develop after the third time you get up and go to the baby's room seconds after hearing them cry, to find them sleeping.
I'm surprised to see such comments here, because I guess the majority of HN would say "definitely yes", but, honestly, I couldn't help laughing while reading that.
In all reason, a child that age has very little memory, and loud noise are not exactly rare in his environment, so… it is a little funny. I think reading in Feynman lectures would be funnier, but then again, I’m not comedian.
This isn't even the first time this has happened, if I remember correctly. There are thousands of unsecured devices out there that no one will ever secure, because they were never registered, just plug and play devices bought at Target for $20. It's an insoluble problem unless someone writes an invasive fix-it worm or something.
As far as I'm concerned, Foscam cameras (the type in the story) are not securable. The firmware is complete trash. I have one and it is loaded with bugs. At least twice now I've gotten an urgent email telling me to update my firmware because of an exploit. I blocked mine on my router from accessing the Internet.
To give you notifications, it wants you to put in your email password, instant messenger password, ftp password, basically almost a dozen things. that could destroy your life if hacked. And this buggy, remotely exploitable camera wants you to trust it with all of them.
It's most likely that the "hacker" in news is from /g/. Every so often he has been posting videos on YouTube where he's yelling at people with unsecured IP cams.
https://rbt.asia/g/thread/S41535725
"Heather picked up her mobile phone and accessed the camera to check on her 10-month-old daughter Emma’s room."
There's a man's voice coming from my 10 month-old daughter's room ... should I check my phone or get out of bed and RUN over to make sure she's not being kidnapped, molested, etc? This mother's reaction makes me think she'll be texting her (soon to be) teen-age daughter at the dinner table instead of making conversation.
As an owner of one of these cameras I remember being appalled at how difficult it was to actually secure, how many settings needed to be changed, and how bad the defaults were. Foscam cameras are practically shipped open and insecure by default, and it's not a stretch to say that you need to be a security-minded technophile to figure out how to lock them down properly.
They make commercial routes look positively impregnable by comparison.
Well, while, obviously, this is atrocious behavior on the part of the hacker, I can't quite relate. I hovered over my kids and I can't imagine sticking my infant so far away from myself that a baby monitor would be necessary. I never used one. I think that's generally not a good use for modern tech. I think it's the kind of thing that falls under "what's wrong with the world today."
It's both amazing and scary that this kind of vulnerability is fairly common. Check out this great talk given at Defcon (https://www.youtube.com/watch?v=5cWck_xcH64) to get an idea of the magnitude. These are systems that do not require any kind of tampering or credentials. Most times credentials are given to you in a prompt!
The baby monitor we used, while without camera, wasn't even digital/internet based nor encrypted. Once we heard a kid call for "mama" before our baby could even speak. Wonder how many people listened in on us.
These cameras aren't baby monitors per se, they're designed for surveilling a space. They have both a microphone for listening and a speaker for... shouting at ne'er-do-wells stealing your stuff, presumably.
[+] [-] ipsin|12 years ago|reply
"The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password."
I understand that using this security hole to yell at a baby makes you a terrible person, but I'm also appalled at the company that made that situation possible for so many of its customers.
[+] [-] primitivesuave|12 years ago|reply
[+] [-] ultimoo|12 years ago|reply
In fact any tin foil class practice in these situations is worthwhile.
[+] [-] cbhl|12 years ago|reply
[+] [-] jonny_eh|12 years ago|reply
Easier would be to make it only available on the LAN and then access it via a VPN. But even that would be too complex for 99% of the population.
[+] [-] elwell|12 years ago|reply
Sorry, this is just hilarious; partly because the journalist doesn't put the degradation in quotes.
[+] [-] subdane|12 years ago|reply
[+] [-] strozykowski|12 years ago|reply
She didn't just walk into her baby's room after hearing a man's voice?
[+] [-] emiliobumachar|12 years ago|reply
[+] [-] snowwrestler|12 years ago|reply
[+] [-] emocakes|12 years ago|reply
[+] [-] erobbins|12 years ago|reply
[+] [-] krick|12 years ago|reply
[+] [-] bertil|12 years ago|reply
In all reason, a child that age has very little memory, and loud noise are not exactly rare in his environment, so… it is a little funny. I think reading in Feynman lectures would be funnier, but then again, I’m not comedian.
[+] [-] NAFV_P|12 years ago|reply
I have trouble picking which is more frightening, a flesh and blood intruder or a disembodied voice spying on you.
[+] [-] devindotcom|12 years ago|reply
[+] [-] Torgo|12 years ago|reply
To give you notifications, it wants you to put in your email password, instant messenger password, ftp password, basically almost a dozen things. that could destroy your life if hacked. And this buggy, remotely exploitable camera wants you to trust it with all of them.
[+] [-] librethrowaway|12 years ago|reply
I'd wager that's who is behind this incident.
[+] [-] throwaway-9684|12 years ago|reply
[+] [-] ars|12 years ago|reply
[+] [-] 3rd3|12 years ago|reply
[+] [-] smoyer|12 years ago|reply
There's a man's voice coming from my 10 month-old daughter's room ... should I check my phone or get out of bed and RUN over to make sure she's not being kidnapped, molested, etc? This mother's reaction makes me think she'll be texting her (soon to be) teen-age daughter at the dinner table instead of making conversation.
[+] [-] senorprogrammer|12 years ago|reply
They make commercial routes look positively impregnable by comparison.
[+] [-] Mz|12 years ago|reply
[+] [-] jrvarela56|12 years ago|reply
[+] [-] facepalm|12 years ago|reply
[+] [-] anaphor|12 years ago|reply
[+] [-] finnh|12 years ago|reply
[+] [-] senorprogrammer|12 years ago|reply
[+] [-] redeemedfadi|12 years ago|reply
[+] [-] microcolonel|12 years ago|reply
[+] [-] cpayne|12 years ago|reply
I hate that kind of sensationalist, link baiting journalism.
[+] [-] emiliobumachar|12 years ago|reply
[+] [-] IvyMike|12 years ago|reply
"the use of exciting or shocking stories or language at the expense of accuracy, in order to provoke public interest or excitement"
The "at the expense of accuracy" part doesn't seem to apply here-- the hacker did in fact scream at a sleeping infant.
[+] [-] niix|12 years ago|reply