A few weeks back, krebonsecurity.com published a great post called This is Why People Fear the ‘Internet of Things’. The article describes a pretty disturbing practice in Foscam’s newer cameras with “P2P support”. Auspiciously this feature is to allow non-technical users to access their cameras remotely without having to do any firewall configuration, which is all well and good. But, it seems, if you ARE a technical user and opt to turn this feature off… it doesn’t actually turn off!
I’m not saying this is necessarily a possible security breach. But the fact that you have to trust a Chinese company (who, apparently, has never thought to hire a single fluent English-speaker to produce its documentation and provide support) to secure their P2P network in a feature you can’t turn off is disturbing. Apparently Foscam has provided a firmware update to at least one user, although I haven’t been able to actually locate it online. So, if this really disturbs you, it looks like you can open a support ticket with them to get the firmware.
To find out if you’re actually affected by this issue, krebonsecurity.com helpfully links to this Lifehacker post to monitor your own network. I’ve used WireShark on my own network to check out traffic from my cameras, confirming that my (non-P2P cameras) are not making these extraneous out-of-network calls. The trick was to use a filter like this to only monitor traffic from my various cameras:
ip.src == 192.168.0.55 || ip.dst == 192.168.0.55 || ip.src==192.168.0.56 || ip.dst == 192.168.0.56 || ip.src==192.168.0.57 || ip.dst == 192.168.0.57 || ip.src==192.168.0.58 || ip.dst == 192.168.0.58
As you can see, the only network traffic from the cameras is to my PC (which is the video data flow to my Blue Iris installation):
While it’s a bit of a shady practice to have a “turn off” option in their UI that doesn’t work, I still wouldn’t recommend avoiding Foscam altogether; they’re still pretty great cameras for the money, and it’s most likely not done for nefarious purposes. That said, I have started looking for other possible solutions, and recently purchased this micro-camera for Raspberry Pi to try out creating my own security camera solution. I’ll do another post when/if that effort works out!