"The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password."
I understand that using this security hole to yell at a baby makes you a terrible person, but I'm also appalled at the company that made that situation possible for so many of its customers.
It takes a reasonably intelligent programmer to identify a security hole, and an entire team of foolish programmers to let one through. It's quite evident that this company only has the latter.
It's not a team, all you need is one fucking idiot who sometime in the 80s once wrote some software that ended up on a satellite. After that everyone will believe whatever that idiot says.
I once spent two hours arguing as to why using a single static AES key for encryption on an app used by millions of people rather than just use SSL was a bad idea, they talked about how secure it was, etc, etc.
After that frustration I went drinking, when I came back, I discovered that their shitty encryption system had a 4 byte field for how big the message was, I sent 256 requests 20 byte requests to that system with message 'sizes' of 0xFFFFFF00-0xFFFFFFFF and watched as the server consumed about 64 GB of RAM before falling over. (It was a .NET app so a request of that size has to go into gen3, since the subsequent requests are larger they can't reuse the existing block)
Then I openly mocked them in the next meeting, they still went with their shitty encryption system because it was 'good enough' and apparently faster than SSL.
If the definition of a "team of foolish programmers" is letting a security hole through, then 100% of teams consist of foolish programmers.
Practical evidence shows that a baby monitoring webcam created by a team of the world best security experts will still have security holes and stupid errors; for examples see any security software ever written - OpenSSL Heartbleed is not an exception, but business as usual.
While this is the case, I think it's pretty obvious that until this sort of thing happens, security is still seen as a "tack on", and treated like any feature (i.e., might be tested, might simply be released and let users find the bugs).
Similarly, I had a previous experience with a Software VPN provider that simply let my Mac client login without any credentials. I was completely unsurprised.
They probably don't have any programmers except one or two guys who brand the code with their messages and logo and such. Products like this are very often OEM'ed from another shop, who may OEM the code from one or more other shops. It's like sausage, and they might not have a clue what's in there. Someone's a shitty coder, but who knows for sure who this far down the supply chain.
An internet routable camera in the house with a voice channel is the exact kind of thing that should have a two-plus factor authentication, strong tls capabilities, responds only to pre-approved IP address ranges, and any other paranoid security practice that you can come up with.
In fact any tin foil class practice in these situations is worthwhile.
On the other hand, new parents are probably really stressed out (being awoken in the middle of the night, etc.) so I wonder whether parents would be willing to put up with two-factor auth on such a camera.
Is opening your laptop, waiting for it to pull up the site, load the feed, wait until your eyes can actually focus, faster then walking 10-20 feet down a hall to another room?
Maybe I just don't understand the company's target use case not having children of my own.
I'm thinking checking your phone while you are at dinner is probably a little faster than walking back to the house. And having a window up an running while you are in another room working is also probably faster. The baby is supposed to be sleeping, you don't need to walk into the room every 5 minutes to check.
I'm also going to guess the use case is NOT for people without children.
You don't for the it to load - you leave it running all the time. Some kids wake up and don't cry right away, it's best to take them out of the crib then, and not wait for crying.
Checking the camera is a reflex you develop after the third time you get up and go to the baby's room seconds after hearing them cry, to find them sleeping.
Perhaps it's a cultural thing. When my Northern Irish colleague was raising a family in Hong Kong, he would let his baby cry in her cot for five to ten minutes before going into the room.
Nothing unusual, that's generally what we do here. The baby will often settle back to sleep and learn that crying doesn't always result in attention.
But the neighbours in his apartment were aghast and would immediately knock at his door, panicking because his baby was crying and berating him for 'abandoning' her! And the next day they would continue the chastisement; apparently the local custom was to pick up a crying baby immediately.
I mean, we can understand that, but surely when you hear a strange mans voice, that is going to snap you out of the normal reflex actions? I guess if you are always tired you don't always think straight.
In almost all dangerous situations, the child's safety is conditional on the parent's safety because the child is helpless without the parent. This is why, when the oxygen masks drop in an airplane, you put your mask on before helping you child.
And because people are not typically all that rational when their children's lives are in danger on every flight I've ever been on they re-iterate that parents should first help themselves before helping their children.
I'm surprised to see such comments here, because I guess the majority of HN would say "definitely yes", but, honestly, I couldn't help laughing while reading that.
In all reason, a child that age has very little memory, and loud noise are not exactly rare in his environment, so… it is a little funny. I think reading in Feynman lectures would be funnier, but then again, I’m not comedian.
Not true at all. Yes, they won't remember specific events, but they certainly do remember they way things work, and they now have a fear response to a certain kind of voice.
It hopefully will fade, but not necessarily. I've met babies (and one toddler) who were scared of men but not women.
This isn't even the first time this has happened, if I remember correctly. There are thousands of unsecured devices out there that no one will ever secure, because they were never registered, just plug and play devices bought at Target for $20. It's an insoluble problem unless someone writes an invasive fix-it worm or something.
As far as I'm concerned, Foscam cameras (the type in the story) are not securable. The firmware is complete trash. I have one and it is loaded with bugs. At least twice now I've gotten an urgent email telling me to update my firmware because of an exploit. I blocked mine on my router from accessing the Internet.
To give you notifications, it wants you to put in your email password, instant messenger password, ftp password, basically almost a dozen things. that could destroy your life if hacked. And this buggy, remotely exploitable camera wants you to trust it with all of them.
It's most likely that the "hacker" in news is from /g/. Every so often he has been posting videos on YouTube where he's yelling at people with unsecured IP cams.
https://rbt.asia/g/thread/S41535725
"Heather picked up her mobile phone and accessed the camera to check on her 10-month-old daughter Emma’s room."
There's a man's voice coming from my 10 month-old daughter's room ... should I check my phone or get out of bed and RUN over to make sure she's not being kidnapped, molested, etc? This mother's reaction makes me think she'll be texting her (soon to be) teen-age daughter at the dinner table instead of making conversation.
As an owner of one of these cameras I remember being appalled at how difficult it was to actually secure, how many settings needed to be changed, and how bad the defaults were. Foscam cameras are practically shipped open and insecure by default, and it's not a stretch to say that you need to be a security-minded technophile to figure out how to lock them down properly.
They make commercial routes look positively impregnable by comparison.
Well, while, obviously, this is atrocious behavior on the part of the hacker, I can't quite relate. I hovered over my kids and I can't imagine sticking my infant so far away from myself that a baby monitor would be necessary. I never used one. I think that's generally not a good use for modern tech. I think it's the kind of thing that falls under "what's wrong with the world today."
It's both amazing and scary that this kind of vulnerability is fairly common. Check out this great talk given at Defcon (https://www.youtube.com/watch?v=5cWck_xcH64) to get an idea of the magnitude. These are systems that do not require any kind of tampering or credentials. Most times credentials are given to you in a prompt!
The baby monitor we used, while without camera, wasn't even digital/internet based nor encrypted. Once we heard a kid call for "mama" before our baby could even speak. Wonder how many people listened in on us.
These cameras aren't baby monitors per se, they're designed for surveilling a space. They have both a microphone for listening and a speaker for... shouting at ne'er-do-wells stealing your stuff, presumably.
The facts are there, but they might be framed in a wait to make them come off as worst, or more impressive than they really are, hiding a more representative reality.
To take a controversial example: Pointing out how many hardened criminals are from a certain ethnic background might be true, yet without precautions about discrimination, correlation between economic opportunities, expectation once jailed a first time, attitude of parole system… it can come off as racist, because it over-simplifies a problem. In many cases, say point out the gender breakdown of declared sexual assaillants, take a minority behaviour to placate it to a larger group.
In that case, the title seems to imply (although, does not say) that the ‘hacker’ was a threat to the baby. He never actually was: yelling at a baby is callous coming from an adult, but their siblings probably do that daily. More to the point, it gives the impression that accessing a home connexion is about bodily harm and threats to physically fragile people -- or even heartless pranks. Truth is: the real issue is a lot more about accessing your digital assets, identity and bank account.
I'm curious how you would have written the headline, since you seem to be wading through a very large miasma of implications in order to come to your conclusions.
I would rather consider a study on the ratio of home appliances, mainly routers and computers, that have been tapered with -- from a large and representative sample. I would measure actual damages, intent and describe insulting an infant as a “careless prank” without giving much more detail. I would probably focus my angle on security updates, and consider practices: namely, what was said higher up about
parents being tired and most likely sensitive to simpler authentification protocol. I would actually like to investigate why so many people are dubious of updates.
> miasma of implications
I’m not sure that tone applies.
An infant has bare social skills, little idea of property beyond holding and no lasting memory; it is therefore far less sensitive to the threat of ‘hacking’ than its parents. I don’t see any miasma in “implying” (nota: I was being careful because you come off as very anal) that it was used as a symbol of frailty that needs protected — a symbol that only makes sense in an inappropriate physical interpretation of the event.
Then again: You were the one asking why that title could be seen as inappropriate. Could. I answered that. I didn’t claim my answer was purely objective: interpreting representativity never entirely is.
I will now remember not to answer questions you ask, certainly in a way that could possibly change your position: you obviously don’t like that. In a related concern: why the f-ck is someone so bigoted doing on HackerNews?
1) I'm not the person you think you're responding to.
2) You're objectively lying about what you're responding to.
3) What position did I take, precisely, that you'd like to change?
4) Have you considered learning how to read? Because being incapable of it is the most charitable conclusion I can draw from your comment... and that's not even bothering with the original topic.
"The issue came to light on the company’s support forum after camera experts discovered that the Web interface for many Foscam cameras can be accessed simply by pressing “OK” in the dialog box when prompted for a username and password."
I understand that using this security hole to yell at a baby makes you a terrible person, but I'm also appalled at the company that made that situation possible for so many of its customers.