Cheap Internet of Things devices like Foscam's home CCTVs are designed to covertly tunnel out of your home network, bypassing your firewall, so they can join a huge P2P network of 7 million other devices that is maintained and surveilled by their Chinese manufacturer.
Foscam's terrible design decision — to have their devices transmit a "heartbeat" to the manufacturer and link with one another — is an egregious example of the routine practice of IoT companies to "ignore security and/or privacy concerns," but it's hardly unique.
What makes Foscam's negligence so breathtaking, though, is that their crapgadgets actually have a setting to turn this stuff off, but that setting does nothing.
Apparently I'm not alone in my bafflement. Nicholas Weaver, a senior researcher in networking and security for the International Computer Science Institute (ICSI), called the embedded P2P feature "an insanely bad idea" all around.
"It opens up all Foscam users not only to attacks on their cameras themselves (which may be very sensitive), but an exploit of the camera also enables further intrusions into the home network," Weaver said.
"Given the seemingly cavalier attitude and the almost certain lack of automatic updates, it is almost certain that these devices are remotely exploitable," he added. "It is no wonder that Director of National Intelligence James Clapper is worried about the Internet of Things, how many government officials have or may unwittingly install potential spies like this in their home."
[Brian Krebs/Krebs on Security]