Shodan Lets You Browse Insecure Webcams

There's a lot out there:

The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores....

Slashdot thread.

Posted on January 25, 2016 at 6:25 AM • 27 Comments

Comments

Paul RenaultJanuary 25, 2016 6:58 AM

Shodan Lets Your Browse Insecure Webcams should be
Shodan Lets You Browse Insecure Webcams

ICUJanuary 25, 2016 10:16 AM

One solution for the ip camera user is to use a router setting to prevent the camera(s) from contacting any WAN address (outside internet). Also, some cam apps and servers can be set to work on ssl only. It is essential the new owner change the default password on the camera immediately. It is standard practice to scan the world using default credentials to find cameras.

Each camera has, or should have, an assigned LAN address, for example 192.168.1.88. If all ports (services) are closed for that LAN, the camera cannot get out to the world. However, the users app server can or should be on another LAN address, protected by a password and other security measures. For example the app server may be using 192.168.1.50, thus allowing viewing images from the smart phone.

Most of cameras being sold these days come with several instances of built in phone home ability to make things fun, easy and convenient for the user. For example, all images are forwarded to a dns server in China to make the owners smart phone work better, etc. LOL. Some cameras are so wide open within seconds they start broadcasting all over the world, literally. Only the more savvy users know it is even happening.

An easily forgotten safe practice would be to set the camera up with the modem cable unplugged.

The FCC is working on this. I would presume that means they are waiting for NSA to come up with a way to make sure cams are still wide open for them. Likely there will be a rule, like: Imagery may not be secretly collected for or by any national or foreign persons, governments or their agents. Except for national security, crime investigations, cyber warfare, military base security, corporate security, marketing and copyright violations or bored government analysts as determined by Alice in the security department, or her designee.

FXLJanuary 25, 2016 11:19 AM

Most of the dedicated consumer cam DVRs that are on the market are unwatchable Linux boxes with very crappy UIs and I can only assume the code quality is as bad as the UI and the english/grammar used within it.

Having one of these devices on a home network is a risk as it is, and exposing it to the internet is just asking for trouble. The risk is not just having random folks accessing / controlling your cams, the risk is access to your whole home network.


With that in mind, I keep mine in sandbox, allowing no outside access to the internet (Using parental controls on my router) and not allowing any external access to the device without the use of an SSH based tunnel.

Thankfully, there are iPhone ssh clients that offer tunneling ability so that most of the off the shelf cam viewing apps can still be used.

PackratJanuary 25, 2016 12:32 PM

This has been known forever. You don't even need a special tool, most exposed cameras have a consistent URL and get indexed by Google. For example, search for "inurl:"view/index.shtml" to find Axis brand IP cams. We used to call it geocamming.

ianfJanuary 25, 2016 2:24 PM


Isnt this more suitable for krebs?

Yes, we should arrange a Celebrity SecExpert Wet Noodle Wrestling Death Match between Brian and Bruce, with the winner getting SOLE AND ETERNAL rights to write up this very topic, and with the proceeds donated to charity.

worried FatherJanuary 25, 2016 2:24 PM

"My dear little daughter. Have you installed the latest updates on your Barbie doll already?"

WaelJanuary 25, 2016 2:52 PM

@ianf,

Yes, we should arrange a Celebrity SecExpert Wet Noodle Wrestling Death Match between Brian and Bruce...

Alright, then. I put $100.00 on Bruce "Chuck Norris" Schneier, oh blog bookie. Just make sure they don't fix the match. You know at least one of them has significant recent expertise and interest in gaming systems ;)

It's a dangerous bet! We could all loose and only two winners would be guaranteed, unless one of them is better at the "gambler's (prisoner's) dilemma" game :)

RibbitJanuary 25, 2016 6:40 PM

You don't even need a port scanner like Shodan in many cases.

Years ago I tried entering in a search engine messages copied from my LAN printer's the Web interface, and was rather impressed with the results. The number of crawlable devices connected directly to the WEB was impressive.

I then proceeded to send to a few of these a message in PostScript on the LPR port, hoping that someone might take notice. Never followed up to check if they were disconnected.

Since many high volume printers spool the scan and print jobs on a disk, someone out there might be able to read what is being planned in that big law firm or stock broker...

WaelJanuary 25, 2016 6:57 PM

@Ribbit,

Since many high volume printers spool the scan and print jobs on a disk, someone out there might be able to read what is being planned in that big law firm or stock broker...

These guys are likely using secure printers and print servers with tight access controls.

HurtJanuary 25, 2016 9:33 PM

I'd still like to know if this is the real Ars Technica site I'm looking at... since they don't use any security on THEIR site, how do I know I'm not looking at some MITM'ed version of the site?

Clive RobinsonJanuary 26, 2016 2:57 AM

@ Wael,

With regards Singapore, is that you in the corner trying to get around a 19" rack?

I'm thus guessing that the walls with the video displays is approximately on the south side.

WaelJanuary 26, 2016 8:23 AM

@Clive Robinson,

is that you in the corner trying to get around a 19" rack?

Nope. Never been to Singapore. How can you tell the direction, I saw no windows? I took a "virtual tour" around the world last night. It's amazing how many cameras are insecure. Some have the cameras inside their living rooms and bedrooms too! That's dumb!

WeJanuary 26, 2016 9:59 AM

@ianf

Its just that like someone already mentioned, all kinds of cams have been open for years and its well known also shodan isnt a new.

On a side note the comments have always been diffrent between this site and krebs.

hermanJanuary 26, 2016 11:28 AM

Putting a webcam stream of a public place on the public internet is not really a security or privacy issue, but in a country with crazy laws like the USA, the proud parent operator of a baby cam could be charged with disseminating child porn.

Clive RobinsonJanuary 26, 2016 4:16 PM

@ Wael,

How can you tell the direction, I saw no windows?

You disapoint me ;-)

1) What is the man in the corner doing?

2) Thus in which direction is his head probably pointing?

3) And knowing the room is in Singapore, what point of the compass would that be?

Then all you have to do is work it out in your head.

1, praying. 2, Mecca. 3, WNW which makes the wall on his left aproximatly on the north side, so the opposite wall would be the south side..

WaelJanuary 26, 2016 4:37 PM

@Clive Robinson,

I caught him sleeping for like 10 minutes. Never saw him praying (for privacy) ;) You may defer the disappointment to another day :) Scared me for a second....

WaelJanuary 26, 2016 5:01 PM

@Clive Robinson,

Look at that! An open cash register on your side of the pond. Pay close attention, and you may be able to snoop the "password" when the clerk arrives in the morning!

WaelJanuary 26, 2016 5:35 PM

How would you like to be a customer in this NY restaurant? Be careful where and who you eat with! There should be some privacy legal ramifications to streaming customers like this in such a "secure" manner! And that's assuming the rest of the "secure" cameras aren't "backdoored"!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.