I got a Foscam R2, a cheap and capable Internet camera for home security. But the software is so bad and insecure I’m returning it. A camera in my house has a high bar for security. I do not want video from my house leaking on the Internet. Foscam is designed around a cloud service, so the bar is very high indeed. Given how bad my first 30 minutes were I’m returning the thing.
- I can’t upgrade the firmware
- I can’t connect to the IP interface at all
- The website requires a native code plugin to run
- They don’t quote user input correctly
The biggest problem is utter contempt for basic security. Some examples:
The camera configuration won’t accept my wifi password because it has a space in it. Foscam support has an alarming list of characters you can’t use, including & and =. This suggests they aren’t properly quoting user input. (The linked discussion confirms that.)
The camera’s local IP interface is HTTPS only. Nice! Only there’s no valid SSL certificate since there’s no meaningful hostname. After telling my browser to ignore the warning I can get a login page and a tip briefly pops up “Don’t support using HTTPS to login chrome”. Logging in with Chrome does not work. Neither does Edge. I can maybe log in with IE10, but all I get is a popup saying I have to install a .exe plugin first to use the camera. No thank you.
There’s several separate websites: foscam.us, foscam.com, and myfoscam.com. I’m not positive but I think the .us site is an American reseller? They have an alarming security note
In early June Foscam Digital had been notified of 18 security vulnerabilities that existed on cameras manufactured by Shenzhen Foscam … Foscam Shenzhen initially did not address the vulnerabilities for several months … . However, on June 14th, shortly after the vulnerabilities were communicated directly to end-users by Foscam Digital in order to pressure Foscam Shenzhen to take action, Foscam Shenzhen released a firmware update response available here
I can’t upgrade the firmware. The mobile app has a firmware upgrade option and does seem to upgrade the camera to 18.104.22.168. But then there’s a second upgrade to 2.x.1.18 (yes, the x is part of the version number) that does not work via the mobile app. There’s instructions for upgrading via the web interface but since I can’t log in, I can’t do that.
The English translation is terrible. The very first text you see in the mobile app you have to use to configure the camera is “Has the account?Sign up”. There are translation errors all over the product. I’m usually the last person to criticize someone who speaks imperfect English as a second language. But this sure makes for a bad impression.
The website for the Foscam cloud service works for about 30 seconds, then pops up a dialog that says “Foscam web component has beed upgraded” (sic). The popup is modal with a “Click to download” button that says “Please click me to install plugin(Now we don’t support IE(64))”. It downloads a .exe that I wouldn’t dream of running.
I can’t find their MAC address prefix 00:62:6e in the OUI database. That might not mean anything. Or it might mean they’re cutting some important corners with their ethernet chipset.