Foscam Forum • View topic - Security Concern with MyFoscam.org

Important Message from Foscam Digital Technologies Regarding US Sales & Service

Foscam.US (aka Foscam Digital Technologies and now Amcrest Technologies) is an independent United States based distributor of "Foscam" branded products. We have been offering telephone support, US local warranty and building the Foscam brand in the US for the past 7 years. Based on our experiences with Foscam and feedback from end users we have launched our own new and improved line of wireless IP cameras and security systems under the Amcrest brand. Working in partnership with the second largest security camera manufacturer in the world, Amcrest was founded with a deep commitment to end-user privacy and security, highly reliable software and hardware as well a seamless and intuitive user experience. For more information, please visit www.Amcrest.com

If you are having trouble with your Foscam cameras, we sincerely apologize for this inconvenience and would love to help. For technical support, response to inquiries and for obtaining replacements for any Foscam IP Cameras or NVR products, please reach out to tech@foscam.com or call 1-844-344-1113.

If you are interested in exchanging your Foscam camera for an Amcrest camera, we can offer you a massive loyalty discount, even if you are out of warranty. Please send an email to support@amcrest.com, sales@amcrest.com or call 1-888-212-7538

If you are subscribed to Foscam Cloud (www.foscamcloud.com), please contact cloud@foscam.us for support.

If you currently use the manufacturer's cloud service (www.myfoscam.com or linked in any way to www.foscam.com), you will need to contact them directly for support, at www.myfoscam.com.


Security Concern with MyFoscam.org

Users can ask and answer questions regarding Foscam IP Cameras

Moderators: mycam, FOSCAM

Re: Security Concern with MyFoscam.org

Postby mrcrlee » Thu Feb 07, 2013 10:15 pm

Don,

Thanks for the commands to both save the config, for future use, and to clear the DDNS. I had wondered about the safety of this mechanism given that the naming of the dns subdomain was easily decodable.

I would recommend that foscam put a portion of the serial number in the DDNS, moving forward.

-Chris
mrcrlee
 
Posts: 6
Joined: Sat Feb 02, 2013 7:07 pm

Re: Security Concern with MyFoscam.org

Postby TheUberOverLord » Thu Feb 07, 2013 10:21 pm

mrcrlee wrote:Don,

Thanks for the commands to both save the config, for future use, and to clear the DDNS. I had wondered about the safety of this mechanism given that the naming of the dns subdomain was easily decodable.

I would recommend that foscam put a portion of the serial number in the DDNS, moving forward.

-Chris


You are very welcome. Glad to help.

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Re: Security Concern with MyFoscam.org

Postby ukfoss » Fri Feb 08, 2013 1:31 pm

Thanks for the clarification - my tech know-how is a bit dated, and only occasionally used - I should have remembered the port thing! In any case, I set it up on another port, so all is well :)
ukfoss
 
Posts: 2
Joined: Thu Feb 07, 2013 3:46 pm

Re: Security Concern with MyFoscam.org

Postby pulsar » Sun Feb 10, 2013 12:27 pm

I don't have the technical network security background that a lot of the posters here have but am fearful of what I may have let myself in for - so I'd appreciate any helpful answers:

1) I've already chosen the DNS option of xxxx.myfoscam.org (set to expire 2016). I did chose port # not equal to 80 and set up a password on the admin account. Is this enough to deter intrusions?
2) given (1) above how am I open to attacks or vulnerability? and if so what can I do.

Thanks to all who share their expertise.
pulsar
 
Posts: 1
Joined: Sun Feb 10, 2013 12:15 pm

Re: Security Concern with MyFoscam.org

Postby TheUberOverLord » Sun Feb 10, 2013 12:33 pm

pulsar wrote:I don't have the technical network security background that a lot of the posters here have but am fearful of what I may have let myself in for - so I'd appreciate any helpful answers:

1) I've already chosen the DNS option of xxxx.myfoscam.org (set to expire 2016). I did chose port # not equal to 80 and set up a password on the admin account. Is this enough to deter intrusions?
2) given (1) above how am I open to attacks or vulnerability? and if so what can I do.

Thanks to all who share their expertise.


IMHO. Most ISP IP Addresses have attempts to hack them daily. One would not see this normally, unless you had detailed logging going on with your Router/AP.

Virtually, everything you do using the Internet has access to your ISP IP Address. So as long as your devices on your network are secure, you should be ok.

Worse case, if your ISP Provider is a broadband provider. Then there are methods that can be used to instantly be assigned an new ISP IP Address if needed. But it would not make sense to do unless/until you decide to not be using any DDNS anymore. This way, whatever ISP IP Address the DDNS had for your last known ISP IP Address would then be invalid.

I go into how to do this, in some detail here:

security-concern-with-myfoscam-org-t3728-20.html#p20113

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Re: Security Concern with MyFoscam.org

Postby pd5rm » Thu Feb 14, 2013 11:59 pm

There needs to be a way to disable this feature *completely* from the user interface as the presence of predictable hostname for camera (along with default password and upnp) creates a very serious security flaw. Also, this feature should clearly be disabled by default!

I've followed TheUberOverLord/Don's instructions with the cgi API and I hope that actually disables the setting (I haven't hooked up a packet analyser to confirm). I've sent an email to tech/support addresses in the hope they address this.
pd5rm
 
Posts: 3
Joined: Fri Jan 18, 2013 9:15 pm

Re: Security Concern with MyFoscam.org

Postby eyedol » Fri Feb 22, 2013 12:04 pm

Thank you to everyone who posted about this issue, you were very helpful to me. I was able to use Don's cgi fix to disable the ddns but I still don't know how to remove my IP that was already registered at myfoscam.org. It still resolves to my IP. Gah! Anybody figure this out?

Anyhow, I registered to say that in case anyone is still looking for a solution to this problem, foscam apparently released a firmware update for the FI8910 that gives you an option to disable the manufacturer's DDNS.

Check here for firmware 11.2.37.49:
http://www.foscam.com/down3.aspx

I will try this tonight and see how it works out.
eyedol
 
Posts: 1
Joined: Fri Feb 22, 2013 11:59 am

Re: Security Concern with MyFoscam.org

Postby TheUberOverLord » Fri Feb 22, 2013 12:21 pm

eyedol wrote:Thank you to everyone who posted about this issue, you were very helpful to me. I was able to use Don's cgi fix to disable the ddns but I still don't know how to remove my IP that was already registered at myfoscam.org. It still resolves to my IP. Gah! Anybody figure this out?

Anyhow, I registered to say that in case anyone is still looking for a solution to this problem, foscam apparently released a firmware update for the FI8910 that gives you an option to disable the manufacturer's DDNS.

Check here for firmware 11.2.37.49:
http://www.foscam.com/down3.aspx

I will try this tonight and see how it works out.


Please see this. While it won't remove the IP address that the DDNS already has as your last known ISP IP Address. In many cases, it will allow you to instantly, get a new ISP IP Address, which will make whatever the DDNS has for your current ISP IP Address, invalid.

security-concern-with-myfoscam-org-t3728-20.html#p20113

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Re: Security Concern with MyFoscam.org

Postby ChuckHL » Sun Sep 15, 2013 10:13 am

Like avacomtech i had the same problem. The myfoscam.org ddns was hard coded to my camera. In addition, I am also concerned regarding the UPNP being enabled by default.

1) The myfoscam.org ddns was set and cannot be changed on the gui, just through gci scripts. Not sure if disabling actually disables it. (Can be deleted and disabled thanks to the TheUberOverLord post explaining how)
2) By default, the ddns is enabled along with the UPNP on the camera creating a security risk since it will try to expose the camera to the internet. Even if you delete the ddns, if your UPNP on the camera exposed your camera to the internet, you are still at risk. (Good thing I have my UPNP disable at the router so UPNP requests from the cameras are ignored)
ChuckHL
 
Posts: 1
Joined: Sun Sep 15, 2013 10:05 am

Re: Security Concern with MyFoscam.org

Postby TheUberOverLord » Sun Sep 15, 2013 2:56 pm

ChuckHL wrote:Like avacomtech i had the same problem. The myfoscam.org ddns was hard coded to my camera. In addition, I am also concerned regarding the UPNP being enabled by default.

1) The myfoscam.org ddns was set and cannot be changed on the gui, just through gci scripts. Not sure if disabling actually disables it. (Can be deleted and disabled thanks to the TheUberOverLord post explaining how)
2) By default, the ddns is enabled along with the UPNP on the camera creating a security risk since it will try to expose the camera to the internet. Even if you delete the ddns, if your UPNP on the camera exposed your camera to the internet, you are still at risk. (Good thing I have my UPNP disable at the router so UPNP requests from the cameras are ignored)

Yes. This becomes a very complex issue. After you have exposed your ISP IP Address to the DDNS provider.

While you could simply change the port for your camera to get around this, after disabling the DDNS in your camera. The DDNS will still have your ISP IP Address, when it is used.

I say this because the FREE Foscam DDNS interfaces, don't allow you to remove any ISP IP Address it may currently have in place. So, even if you initially want to use the DDNS and activate it but change your mind later. Most probably that DDNS will have a reference to your ISP IP Address eternally. If your ISP provider is a broadband ISP provider.

The only method to really change that fact. Since you have no other methods to tell the DDNS provider via some command to "Delete/Remove" whatever current ISP IP Address it has for your camera, is to force your ISP IP Address to change. This assumes your ISP is NOT providing a fixed IP Address, per your request and that your ISP is a broadband ISP provider.

Making sure that you first disable the DDNS in the camera before doing so. The same process will need to be repeated if you ever enable the DDNS again, by resetting the camera with the DDNS activated and connected or re-enabling the DDNS in the camera while the camera had internet access.

This only works generally for broadband ISPs that don't change your current ISP IP Address often, if ever. Many DSL providers use different ISP IP Addresses over long periods of time, so it's not so much an issue with DSL.

I go into some detail on how to go about this forced ISP IP change here:

http://foscam.us/forum/security-concern-with-myfoscam-org-t3728-20.html#p20113

Many, if not most Routers. Have a MAC Address Clone feature that allows you to use a different MAC Address as the Routers MAC Address. When you use this feature, in almost all cases that I am aware of, a broadband ISP will then because of that, change the ISP IP Address currently assigned to you.

This is for good reason. Say your ISP equipment, was used by someone else prior to you using it. If your ISP simply assigned your ISP IP Address based on the MAC Address of that ISP equipment. You would soon learn that ads you saw being displayed in internet sites, would be due to what that that prior persons interests were. Think Google Ads in web pages.

So. Because broadband ISPs also use the MAC Address of the equipment connected to it. Example your Routers MAC Address with an algorithm, this is how you end up with a unique ISP IP Address vs. the same ISP IP Address a prior user of your ISP equipment may have had.

Sadly. Many hackers exploit this same concept to regain access to websites they have been banned from, by their IP Address.

As one example. For a test. You could go here and get your current ISP IP Address:

http://myipaddress.com

If you for testing, were to remove your Router from your ISP equipment and instead, connect one of your computers to that same ISP equipment. When you used the same link above. Your ISP IP Address would now be different.

This is because your computer does NOT have the same MAC Address as your Router does.

Following the above instructions should leave the DDNS with the wrong ISP IP Address afterwards. Which is also easy to verify, by simply trying to access the camera using that DDNS and the port for your camera, after the ISP IP Address has changed.

Without doing this step for a broadband ISP. Once a DDNS was enabled and has been disabled in the camera. You can always STILL get to your ISP Address, using these Foscam FREE DDNS interfaces. Because the ISP IP Address. Is NOT removed from the DDNS, simply because you disabled the DDNS in the camera.

When you disable an already enabled DDNS in the camera. It does NOT stop the DDNS from still going to the last ISP IP Address it was told is correct. All disabling the DDNS in the camera does, is stop the camera from telling the DDNS what the cameras ISP IP Address, from time to time, currently is.

IMHO. I think there needs to be communications, in the future from the camera to the DDNS when the cameras DDNS is disabled. So that any ISP IP Address that DDNS may have had is removed at that time. Which currently, does not happen. That could be a complicated feature to add, when the DDNS for whatever reason is not available at the time you disable the DDNS in the camera. Because that request would need to be repeated, until the DDNS did receive that delete request, even after the camera was powered down or restarted later when the DDNS did become available.

I say this, because currently, there is nothing stopping anyone to disable the DDNS in the camera, with no outside Internet access currently available, at that time. So there would be some recovery logic also required to implement this properly.

You can also verify that the DDNS is using the OLD ISP IP Address after making this change. By going here and entering the DDNS with the port for your camera to see what IP Address is returned:

http://ipaddress.com/ip_lookup/

Again. The simple solution is to simply change the cameras port after disabling the DDNS in the camera. While this will not remove the current ISP IP Address that the DDNS has stored. Anyone that has a reference to that DDNS, with the cameras old port, will fail.

Personally. I would NOT use UPnP and would manually configure your Router for port forwarding. While the intent of activating UPnP is to minimize port forwarding configuration in the Router it comes with extra negotiations required and some additional security concerns. Which IMHO are not worth the risk of those negotiations failing from time to time or the additional security risks that come with UPnP being activated.

Don
TheUberOverLord
 
Posts: 13110
Joined: Fri Jun 22, 2012 11:52 pm

Previous

Return to Technical Support

Who is online

Users browsing this forum: No registered users and 6 guests