Bruce Schneier
Schneier on Security
A blog covering security and security technology.
« Bioencryption | Main | Security Theater in the Theater »
January 26, 2011
Unsecured IP Security Cameras
It's amazing how many security cameras are on the Internet, accessible by anyone.
And it's not just for viewing; a lot of these cameras can be reprogrammed by anyone.
EDITED TO ADD (2/13): This site lists Google search terms to find cameras, as does the comments section in this SlashDot story.
Posted on January 26, 2011 at 6:28 AM • 42 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
wiredog • January 26, 2011 6:50 AM
The 'red light' cameras are probably traffic cameras of the sort you find here:
http://trafficland.com/city/WAS/camera/350/...
bob (the original bob) • January 26, 2011 7:20 AM
I wonder if you could search the internet for unsecured Siemens controlled centrifuges?
Dinah • January 26, 2011 8:02 AM
"I was also able to find a feed from a set of eight live porn cameras, which of course occurred while my fiancée was sitting next to me on our couch, before I had mentioned I was working on this article. This showed me that accessing unsecured IP cameras was dangerous in ways I hadn’t expected."
BF Skinner • January 26, 2011 8:07 AM
@bob
Somone sure did.
The boxes are cheap, easily avaliable and not much content on security (as we've come to expect with consumer grade products)
had a nice discussion with some people looking at camera's in Big Box. Warned them about the microphones that all camera's seem to have. The mic's are good. can pick up intelligble audio from other rooms and the wind from outside.
I want the mic's open when I'm not at the monitored site but I don't want to
wiretap myself.
BF Skinner • January 26, 2011 8:08 AM
And even if you are in a one-party consent state...are you breaking the law when you're unaware you've wiretapped yourself?
Clive Robinson • January 26, 2011 8:20 AM
For those that are "unaware" of this there are a number of security companies (as in physical premise security) selling their clients systems that use IP cameras and an IPhone app to look at them...
I have seen so far four different "customers" of one organisation on the web with no security to the cameras other than using an obscure port number...
On atleas tone of these "customers" there is a camera in a meeting room area where there have been confidential director level meetings and all that was needed to "drop in" was knowing the right numbers....
Count0 • January 26, 2011 8:29 AM
It's easy to blame the stupid installers or the stupid users for not changing default user names and passwords or for not changing default view/control settings, but I think the manufactures have a substantial responsibility for this as well. They're the ones that should know better and anticipate this kind of issue. While they cannot make a user secure the interface, they could take basic steps to ensure that they are not indexed by search engines. I'll bet the embedded web servers in these devices don't even have robots.txt in them as the most basic protection.
The thing I find most interesting is companies whose core business is security don't think about securing there own devices very well.
BF Skinner • January 26, 2011 8:34 AM
@Clive "there is a camera in a meeting room area"
Yeah. I've added camera searches to my pen test method.
Scott K • January 26, 2011 8:50 AM
Related: Surveillance Saver, "a screensaver for OS X and Windows that shows live images of over 400 network surveillance cameras worldwide. A haunting live soap opera."
[http://code.google.com/p/surveillancesaver/]
BF Skinner • January 26, 2011 8:56 AM
@Scott K "a screensaver ... shows live images of over 400 network surveillance cameras "
NSFW
Will • January 26, 2011 9:46 AM
"I was also able to find a feed from a set of eight live porn cameras, which of course occurred while my fiancée was sitting next to me on our couch, before I had mentioned I was working on this article. This showed me that accessing unsecured IP cameras was dangerous in ways I hadn’t expected."
Surely he meant to say:
"I was also able to find a feed from a set of eight live porn cameras, which of course occurred while my fiancée was sitting next to me on our couch, and so I pretended I was working on an article. This showed me that accessing unsecured IP cameras was dangerous in ways I hadn’t expected."
Chris • January 26, 2011 9:47 AM
@BF Skinner: "And even if you are in a one-party consent state...are you breaking the law when you're unaware you've wiretapped yourself?"
The installation of the monitoring system would probably constitute your knowledge and consent, since such equipment is designed for that purpose.
Any third-party accessing these systems would likely be breaking the surveillance laws.
#IANAL
Chris • January 26, 2011 9:57 AM
@Will
I'm sure the original article said:
"I was also able to find a feed from a set of eight live porn cameras, and here are the links:"
Darned editors.
Adam Trickett • January 26, 2011 10:18 AM
Many internet devices including cheap ADSL routers come with built-in configuration tools running via web pages that are accessible from the public network. In most cases if there is a username/password it's often never changed from the default...
Cameras are in many respects no different from this. A colleague use to use Google to look for them years ago but got bored as there is usually very little going on...
I believe that the UK monopoly telecoms provider shipped many thousand ADSL/router tools with a default username/password enabled web front end on the public side - while claiming in TV adverts to have the "safest internet". Suffice to say when people found out there was a race between the telco/ISP and the bad people to gain access to the kit...
Scott K • January 26, 2011 10:37 AM
@BF Skinner: I'll take your word for it. I haven't used that screensaver recently--it's not the most stable piece of software, tbh--but I never saw any objectionable/NSFW content on the cameras it pulled up. Given the nature of publicly-accessible cameras and their unknown owners, though, I wouldn't advise using it at work in one's absence, though. :)
Dirk Praet • January 26, 2011 10:39 AM
For Google searching tips and techniques as well as other viewing pleasure, visit http://peep.onthenet.nl . Orwell would have been impressed.
Clive Robinson • January 26, 2011 10:40 AM
@ Chris, Will,
"I was also able to find a feed from a set of eight live porn..."
Off topic and "Silly but true"...
In the UK we have cable and satellite TV from a number of providers.
On of whom (not BT) has a free to view porno channel. Well recently they have been censured by OfCom (clowns of the universe that regulate UK communications) for a late night very early morning show that had a non existant costum budget for violating broadccasting rules about "smoking" which was brought in to protect children...
As has oft been remarked "you could not make it up...
Orlando • January 26, 2011 11:24 AM
This isn't really anything new. It's just a new medium with which you can access the data.
RF linked cameras have been accessible, given the right equipment, for years. Sports events were always the best place to find them.
Andy • January 26, 2011 11:47 AM
I trust that this access to unsecurred devices does not include blow back protection devices for oil wells....
Seiran • January 26, 2011 11:49 AM
Ah, unsecured webcams :)
Just part of all those various unsecured web-enabled devices out there on the Internet. Used to be - before *most* vendors got smart to it - certain brands of Wi-Fi routers would routinely expose their admin login page on the WAN side. MSN Qwest DSL actually blocks a specific port on their inbound Internet traffic because it's used by them to manage the Arescom modems with a well-known password.
There are a few of the security cameras that are not secured on purpose. I've seen pages where someone has placed a webcam of their backyard, shed, etc., on the Internet; sometimes with a note reading "Hey! If someone is robbing me please call $phone_number".
Gopiballava • January 26, 2011 12:14 PM
I had an idea for making people change the default SSID on their WAP:
The default SSID would be programmatically generated from a corpus of "offensive/tasteless" words.
SFW examples would include "yummy-fried-puppies" and "fricasseed-chihuahua-stew"
Most post-college-aged customers would want to change it quickly. You could choose some much more offensive words for your corpus, ensuring that virtually 100% of your customers would not leave the default SSID.
The only problem I see here is that most customers would choose to return the device rather than figure out how to configure it properly :)
nobodyspecial • January 26, 2011 12:18 PM
And how does changing the default SSID help?
Isn't it more secure to have an SSID of "DLINK" than to broadcast "X BANK HQ" to the world?
LSH • January 26, 2011 12:34 PM
This site has an entire row search terms for google to find cameras.
BF Skinner • January 26, 2011 1:38 PM
Hmmm interesting type of me too...
Never let us forget Johnny Longs Google Hacking DB. This is the page for camera's http://www.hackersforcharity.org/ghdb/?...
moo • January 26, 2011 2:57 PM
Slashdot recently ran a story on this. The comments contain lots of useful search terms for various types of cameras, for example:
http://hardware.slashdot.org/comments.pl?...
Johnston • January 26, 2011 3:10 PM
@Dylan:
Changing the SSID to something not found in the top-1000 list increases the amount of work necessary for an attacker to compromise your wireless. Whatever makes an attack more expensive, such as eliminating the possibility of using rainbow tables provided for the top 1000 SSIDs, increases the amount of work required and thereby increases security.
The key word is increase, not guarantee.
You do have a lock on your door, right? It increases security but doesn't guarantee it.
Sean • January 26, 2011 3:16 PM
@nobodyspecial: Ideally, SSID is not broadcasted. All of my office's are given misleading SSIDs which have no meaning or just reference the city they're in.
@Gopiballava: I remember seeing SSIDs of ANALSEX and FREE_VIRUSES_HERE back at college. Never bothered to probe them to find out what was on them.
Gabriel • January 26, 2011 7:46 PM
Haha. That gives me the idea of changing my ssid to VIRUS-TESTBED. Not many folks would try to get onto that.
Davi Ottenheimer • January 27, 2011 1:19 AM
I have read this exact news story numerous times over the past five years (many security cameras are public). It seems to be a form of social engineering (opportunity) -- an advertisement for the chance to see images, rather than anything new about camera security.
really • January 27, 2011 9:47 AM
@Gopiballava: I remember seeing SSIDs of ANALSEX and FREE_VIRUSES_HERE back at college. Never bothered to probe them to find out what was on them.
[/maturity]
Ha ha, you said ANALSEX and probe in the same comment!!! Classic!
[maturity]
pedant • January 27, 2011 10:50 AM
@Count0
"I'll bet the embedded web servers in these devices don't even have robots.txt in them as the most basic protection"
Pendantic I know but robots.txt only stops *well behaved* search engine robot. The less techy reader may not know that anyone can make a search bot and make it ignore robots.txt. Still, I agree with you. Google, Archive.Org, etc are 'well behaved.' So why don't the manufactures add such basic protection that would provide much benefit?
@Orlando
"RF linked cameras have been accessible, given the right equipment, for years"
Again pedantic for regular readers here but, the big difference is that RF requires proximity. With web-accessible cameras the perps, or is that peeps, can be anywhere in the world.
Seiran • January 27, 2011 11:11 AM
@Gopi,Johnston:
Many of the latest wifi routers have a randomized or serial-based SSID, such as 'linksys-4hj9', 'ACTIONTEC801', 'qwest9723', '2wire0119', 'AirPort Network 030c1f', 'PSP_AULUN050dd1' etc.
The primary purpose of this is to differentiate networks when neighbors have purchased the same brand of hardware. These still reveal the vendor (or provider) name, but increased resistance to rainbow table precomputation is a bonus effect.
Me, I used have a router with the SSID 'attwifi' under my desk at work in a small city, connected to nothing. You'd be surprised how many people try to get on.
Mark J. • January 27, 2011 1:10 PM
This is nothing new. I think the Google search string info for such cameras has been around as long as the cameras themselves. You can even get an app from iTunes for your iPxx that will show random cameras.
Orlando • January 27, 2011 6:44 PM
@pedant You are of course quite right, RF does require proximity. The connectedness of the Internet certainly takes the leg-work out of a determined and targeted attack on a precise host(s)
Anοnymous • February 21, 2011 5:13 AM
A bit late to the topic, and not totally on-topic, but you might be interested in the video conference camera in my office's meeting room. I think it works over ISDN rather than internet, but it has a cute security feature: when it powers off the camera, it folds down its "head" into a black velvet lens protector between its "legs", where it is able to see nothing. I suspect the microphone would be severely muffled there too, although I have no way to test it.
If the head is up, you know it's on; if the head is down, it doesn't matter how you hack the electronics, it can't see a thing.
Subscribe to comments on this entry
Post a comment
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.
|
| Subscribe |
Subscribe via Kindle |
| Blog Menu |
SearchPowered by DuckDuckGoBlog Home Page
Archives by Date2013 J F M A M J
Tags  |
| Latest Book |
more books by Bruce Schneier |
Comments