Announcement

Collapse
No announcement yet.

Security Issue - Why has firmware not been updated in so long?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Security Issue - Why has firmware not been updated in so long?

    I know these camera's are re-badge Foscam likely FI9815P/v2 or FI9816P/v2 if revision 3.9 or older... Or FI9815P v3 if revision 4.0 or newer...

    Looking at the firmware listed from Insteon support page, for revision 3.9 or older firmware is from Apr 17, 2015... and for revision 4.0 or newer Jul 19, 2016

    There have been many security issues raised with Foscam between then and now that have been resolved in multiple firmware patches...Most recently this from nov 2017 - https://www.foscam.com/company/secur...171117001.html

    Needless to say its very disappointing to see Insteon do nothing to update their firmware to address security issues identified...Should have just bought Foscam instead of Supporting Intseon Cameras...

    Is there any hope in Insteon actually updating their firmware? Or are we left to try an experiment by flashing Foscam firmware to our Insteon Cameras?

    Edit/Update 12/15/17 -
    According to Foscam/Fostar official support the INSTEON 2864-222 HD camera with v4.0 or higher is the FC2406P which is the OEM of FI9816P...

    They use chipset Hi 3518E which was the one mentioned in the security notice! So wow is all i have to say to you naysayer's

    Now hopefully this does get some awareness and people will start requesting INSTEON support do something about it, until then I will wait for my INSTEON support response and share with the "peers" of this forum that might actually care...

    Screen shots will be posted to prove my exchange with Foscam/Fostar

    -Derek
    Last edited by Formula84; 12-15-2017, 08:42 AM.

    #2
    For your reference:

    Insteon Indoor HD 2864-22X = FC2401P
    Insteon Outdoor HD 2864-23X = FI9804P

    Neither one of these models was identified with an issue so there is no need for Insteon to update anything.

    Comment


      #3
      Originally posted by SeanM View Post
      For your reference:

      Insteon Indoor HD 2864-22X = FC2401P
      Insteon Outdoor HD 2864-23X = FI9804P

      Neither one of these models was identified with an issue so there is no need for Insteon to update anything.
      Thanks for the model info... Can you further explain "Neither one of these models was identified with an issue so there is no need for Insteon to update anything."

      How is it you know they weren't identified with an issue, did someone from Insteon dev look over the publicly disclosed foscam issues and confirm they were not?

      The issues brought up where about Foscam firmware specifically because they are a public seller and manage the software... and due to the large scale of use + many paraniod people, security researchers analyze their devices and find issues with them and report to that info publicly so Foscam can address. This is not the case for Insteon, and I am sure their base firmware share 99% of the Foscam's minus branding from the looks of the web portals. You really confident that there are not the same security issues in this 2015 firmware that has not been updated since multiple security issues were found with same hardware used by Foscam?

      Since you just confirmed the model number I found that the camera is made by an OEM for businesses to brand a resell... however that company does not provide any software downloads for their devices, i am guessing because they are OEM and not the company to support.

      In page 3 of the below manual for the HD cam it does reference model number you listed so i believe you are right about that...thanks.
      http://cdn2.bhphotovideo.com/lit_files/253889.pdf

      Comment


        #4
        REALLY!!! Did you not read the notice that you yourself linked to or just see that it has the foscam name so assume its every single product? Your own link has the specific models. None of which are the models that Insteon uses. As a company that does business with them, I am quite certain that had direct talks with Foscam about whether or not their cameras are affected.

        Comment


          #5
          Originally posted by lilyoyo1 View Post
          REALLY!!! Did you not read the notice that you yourself linked to or just see that it has the foscam name so assume its every single product? Your own link has the specific models. None of which are the models that Insteon uses. As a company that does business with them, I am quite certain that had direct talks with Foscam about whether or not their cameras are affected.
          REALLY!!! Yelling come on... lol , apologies but your "I am quite certain" assumption is not good enough for me.

          Yeah I read link i posted, thats why in my comment I tried to express...I know this is for foscam... but they all use the same hardware and I doubt insteon devs wrote the firmware from scratch themselves... they likely just customized it using SDK...the only reason foscam got slammed on these issues by security researchers was because of the scale that they are deployed, no security researcher is going to look at every OEM that is based on foscam hardware... I would be willing to bet money that the same security issues identified in like models of foscam exist in our insteon camera's...

          While you are on the subject of reading links...(Fostartech is the OEM of the insteon cameras, according to the Admin)
          Click http://www.fostartech.com/product/fc1405pc.html link and scroll down to "Setting Voice Guide" see anything that jumps out? see "Hello Foscam" specifically displayed in their info graphic!

          That is the OEM that the Admin just confirmed made the hardware for the Insteon camera's... They are likely the same company, just the OEM for foscam to sell to other businesses that want to "integrate" camera's into their smart home solution --- http://www.fostartech.com/index/smart_home.html

          FYI - the models listed in in the link of FI9815P, FI9815P V2, FI9816P, FI9816P V2 are 99% likely the foscam branded version of the Fostartech OEM FC2401P and they all use the same firmware.
          Last edited by Formula84; 12-14-2017, 02:09 PM.

          Comment


            #6
            Originally posted by lilyoyo1 View Post
            REALLY!!! Did you not read the notice that you yourself linked to or just see that it has the foscam name so assume its every single product? Your own link has the specific models. None of which are the models that Insteon uses. As a company that does business with them, I am quite certain that had direct talks with Foscam about whether or not their cameras are affected.
            Actually to further back up my claim check out this - https://www.foscam.com/company/contact-as-partners.html
            Contacts:


            ShenZhen Foscam Intelligent Technology Co., Ltd.
            Address: Room AB, 9/F, Block F5, TCL International E City, No. 1001 Zhongshan Road, Nanshan District, Shenzhen, PRC, 518055
            Tel: +86-755-26745668 Fax: +86-755-26745168
            Website: www.foscam.com www.foscam.com.cn


            ShenZhen Fostar Electronic Co., Ltd.
            Address: Room A, 10/F, Block F5, TCL International E City, No. 1001 Zhongshan Road, Nanshan District, Shenzhen, PRC, 518055
            Tel: +86-755-26745668 Fax: +86-755-26745168
            Website: www.fostartech.com

            For business requests, please email to sales@foscam.com
            For OEM/ODM business requests, please email to sales1@fostartech.com
            For business requests from USA, please email to neo@foscam.com Tel: 1-936-900-1623
            For customer service and tech support, please click Contact us

            Comment


              #7
              Originally posted by Formula84 View Post

              REALLY!!! Yelling come on... lol , apologies but your "I am quite certain" assumption is not good enough for me.

              Yeah I read link i posted, thats why in my comment I tried to express...I know this is for foscam... but they all use the same hardware and I doubt insteon devs wrote the firmware from scratch themselves... they likely just customized it using SDK...the only reason foscam got slammed on these issues by security researchers was because of the scale that they are deployed, no security researcher is going to look at every OEM that is based on foscam hardware... I would be willing to bet money that the same security issues identified in like models of foscam exist in our insteon camera's...

              While you are on the subject of reading links...(Fostartech is the OEM of the insteon cameras, according to the Admin)
              Click http://www.fostartech.com/product/fc1405pc.html link and scroll down to "Setting Voice Guide" see anything that jumps out? see "Hello Foscam" specifically displayed in their info graphic!

              That is the OEM that the Admin just confirmed made the hardware for the Insteon camera's... They are likely the same company, just the OEM for foscam to sell to other businesses that want to "integrate" camera's into their smart home solution --- http://www.fostartech.com/index/smart_home.html

              FYI - the models listed in in the link of FI9815P, FI9815P V2, FI9816P, FI9816P V2 are 99% likely the foscam branded version of the Fostartech OEM FC2401P and they all use the same firmware.
              The firmware release was based on a vulnerability with the CHIPSET that was used in those cameras which is different than what is used in other models. Had it been software based then that could potentially be a different story.

              Either way, they listed the exact models that had the vulnerability. None of which are insteon's. With that said, even if the company hasn't been in contact with them, at least according to Foscam (and your own research that you posted) this particular threat does not pose a threat to Insteon cameras.
              Last edited by lilyoyo1; 12-14-2017, 02:26 PM.

              Comment


                #8
                Originally posted by lilyoyo1 View Post

                The firmware release was based on a vulnerability with the CHIPSET that was used in those cameras which is different than what is used in other models. Had it been software based then that could potentially be a different story. Either way, they listed the exact models that had the vulnerability. None of which are insteons.
                How is it you KNOW the chipset being used in our camera's is different? Look I am not trying to argue but you seem so set on just assuming, I like facts, prove to me that the chipset is different.

                based on my "FYI - the models listed in in the link of FI9815P, FI9815P V2, FI9816P, FI9816P V2 are 99% likely the foscam branded version of the Fostartech OEM FC2401P and they all use the same firmware." you can see I clearly think that they are the same hardware under different branding...prove me wrong.

                Edit: and https://www.foscam.com/company/contact-as-partners.html further supports that they are the same company, same hardware...
                Edit 2: I came to believe FI9815P/6P is the same as our camera's based on research of my own, looking over Foscam products its the only 2 that match in design / specs / features.

                And this is why im curious about all this BTW - https://krebsonsecurity.com/2016/02/...net-of-things/
                Last edited by Formula84; 12-14-2017, 02:32 PM.

                Comment


                  #9
                  I dont have to assume because based off of the information in the article that YOU yourself posted they put the information front and center.

                  With the assistance of the Claudio Bozzato of Cisco Talos, we recently solved 12 potential security bugs in our firmware for Foscam C1 series and several other models that share the same chipset.

                  That is from the page you posted. Not something I made up or assumed. Nowhere does it say it a universal issue that affected their entire line of cameras. In fact, the next line references the exact models that a person should be looking out for. This comes directly AFTER foscam themselves state it deals with the chipset itself.

                  This includes the Foscam C1, C1 V2, C1-Lite, C1-Lite V2, FI9803P V2, FI9803P V3, FI9815P, FI9815P V2, FI9816P, FI9816P V2, and FI9851P V2 IP camera models.

                  It lists the exact models. It ends with AND FI9851P V2 IP Cameras. Had there been more, it would say something that references additional models such as etc. see below for full list etc. By ending in AND, they are stating the exact model list.

                  Comment


                    #10
                    Originally posted by lilyoyo1 View Post
                    I dont have to assume because based off of the information in the article that YOU yourself posted they put the information front and center.

                    With the assistance of the Claudio Bozzato of Cisco Talos, we recently solved 12 potential security bugs in our firmware for Foscam C1 series and several other models that share the same chipset.

                    That is from the page you posted. Not something I made up or assumed. Nowhere does it say it a universal issue that affected their entire line of cameras. In fact, the next line references the exact models that a person should be looking out for. This comes directly AFTER foscam themselves state it deals with the chipset itself.

                    This includes the Foscam C1, C1 V2, C1-Lite, C1-Lite V2, FI9803P V2, FI9803P V3, FI9815P, FI9815P V2, FI9816P, FI9816P V2, and FI9851P V2 IP camera models.

                    It lists the exact models. It ends with AND FI9851P V2 IP Cameras. Had there been more, it would say something that references additional models such as etc. see below for full list etc. By ending in AND, they are stating the exact model list.
                    Ok my last chance to reason with you on MY concern (not yours)...
                    "several other models that share the same chipset" - Foscam and Fostartech are the same company using the same hardware, FI9815P and FI9816P mentioned in that article are likely the same internals (chipset) as our FC2401P based on my research.... if you have a valid way of proving me otherwise please do. Foscam would not point out FC2401P because thats an OEM version and "Foscam" does not support that... The reason why Fostartech exists for them to sell hardware to integrator like INSTEON...its upto INSTEON to support the software.
                    Last edited by Formula84; 12-14-2017, 02:52 PM.

                    Comment


                      #11
                      This was from another security report back in June, but you get my point with the quote...

                      " The report said the weaknesses are likely to exist in many other camera models Foscam manufactures and sells under other brand names."

                      https://arstechnica.com/information-...mote-controls/

                      http://images.news.f-secure.com/Web/...ras_report.pdf

                      This one specifically mentions the similar model also from June - https://www.cso.com.au/article/62086...d-video-audio/

                      So they patched in June and again in November with even more security fixes... Just saying I doubt our 2015 firmware is not susceptible to these same flaws.
                      Last edited by Formula84; 12-14-2017, 03:15 PM.

                      Comment


                        #12
                        If that is what you believe update your cameras with the newer firmware.

                        Comment


                          #13
                          Originally posted by lilyoyo1 View Post
                          If that is what you believe update your cameras with the newer firmware.
                          I have 2 I am willing to try 1 out... But honestly this deserves a valid response from INSTEON and I put this here to make people think about it logically...If one person makes a support request it will get pushed under the rug... If the community pushes and more people inquire about it there is a better chance it will get some traction and at least an official response.

                          I have already emailed support for an official inquiry, but you know how level 1 support can be* with any of these companies...
                          Last edited by Formula84; 12-14-2017, 03:32 PM.

                          Comment


                            #14
                            This is a peer to peer forum. It is rare that anyone from Insteon is on here. With that said, your making assumptions based on your own thoughts regardless of what was presented in front of you.

                            While I am not saying there cannot be something wrong with Insteon cameras, the fact that nothing you have linked to has any semblance to the Insteon models says you are looking for a solution for a problem that has not yet been found.

                            The last time there was a firmware update for those cameras, there was a security risk associated which is why those updates exist to this day.

                            Comment


                              #15
                              Damn near everything that connects wirelessly to anything else AND everything that connects to the internet in any way probably has security issues; whether it's 2 years or 2 days old. If you're worried about the vague possibility that someone will gain access to your valuable images and/or data then you should probably lock-down completely and remove your cameras and yourself from the risk.

                              The only way to get "a valid response from INSTEON" would be to contact INSTEON directly, a peer-to-peer forum will likely not get the required official ruling. However, I have the feeling that even "a valid response from INSTEON" will result in the OP attempting to continue to resolve a problem that may or may not exist.

                              Comment

                              Working...
                              X