Open 24/7/365

We Have A Life-Time Warranty /
Guarantee On All Products. (Includes Parts And Labor)

New Spy Service Shows You Unsecured Webcams And Baby-Cams, Etc. (#GotBitcoin?)

Shodan has made it even easier for our inner voyeur to spy upon the open webcams of homes across the world — but are the ramifications more pronounced than idle surveillance? New Spy Service Shows You Unsecured Webcams And Baby-Cams, Etc.

Launched in 2013, Shodan is a search engine used to find Internet of Things (IoT) connected devices around the world. Webcams, security systems and routers are only some of the devices which, once connected to the Web, can offer a glimpse into our lives behind locked doors should poor security turn the key.

Unfortunately, despite a steep rise in home Internet connectivity and the use of connected home devices — from lighting to cameras — and IoT-based vehicles, security comes up short.

We’ve heard of Jeeps hacked by attackers able to control braking systems, IoT devices with obsolete firmware that can be easily compromised by a remote hacker, and routers placed at risk should you fall for a phishing campaign.

We’ve heard of Jeeps hacked by attackers able to control braking systems, IoT devices with obsolete firmware that can be easily compromised by a remote hacker, and routers placed at risk should you fall for a phishing campaign.

The rapid push to capitalise on consumer IoT devices has left a rift which security needs to fill, and much of it can be solved by forcing consumers to take control of their basic security right at the start — while other elements, such as patching firmware flaws, are the responsibility of vendors.

Shodan, while potentially a dangerous tool, is also the absolute example of what can happen when devices with lax security enter our daily lives.

In some ways, Shodan is a voyeur’s dream. A quick scan either through paid or free membership using terms such as port:554 has_screenshot:true reveals cameras installed in places ranging from car parks in Japan to bars in France, private lounges in Korea to rabbit cages in Germany.

As reported by Ars Technica, you can use the vulnerable cam feed to find everything from “marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.”

Once you’ve gotten over contemplating the decor choices of citizens in countries including the UK, US and Russia, you begin to realize being able to snoop in bedrooms, kitchens, garages, lounges and gardens has a far darker side than fleeting amusement.

A swift, short search also shows cameras honing in on sleeping children, oblivious couples snuggled on the sofa and happy patrons at bars, unaware their faces are being broadcast to the Internet while they enjoy a cheeky pint.

But Why Does This Happen?

Shodan scours the Web for devices which use Real Time Streaming Protocol (RTSP port 554) which are left open without basic password protection — or only the default password settings — in place. Luckily for those with vulnerable webcams, Shodan trawls the web for open feeds but only takes a snapshot before moving on.

This is bad enough, however, to highlight how important security has become for the average consumer, whether they realise it or not.

There’s no easy answer for consumers. Home cameras come in useful, especially when they are used for security. I use one myself, which remains on its own network and disconnected from any other IoT devices I have installed as one of the few measures I can take to improve the security of my devices.

When I’m out and about or abroad, I like knowing that intruders will set off both motion sensors and my camera, there will be a live stream, alert and the option to record footage of any unwanted guests. I also enjoy the fact I can ‘check-in’ to make sure everything is fine when i’m away.

There was something else I did straight out of the box, however: I changed the default passwords on every IoT device I operate at home. But not every device even allows you to do this, and this responsibility lies at the feet of vendors — which may require regulatory pressure to get their act together.

Security researcher Dan Tentler told Ars there are likely “millions” of vulnerable webcams in use. However, solving the problems this idea prompts cannot be done with a simple over-air patch.

Money, trust, and interest lie at the core. Consumers will often choose cheaper products that do the job over more expensive options, vendors wish to create the best profit margins possible, and a current lack of IoT security regulations set the trend.

In addition, consumers often expect vendors to provide secure products as a matter-of-course, and may not understand or care about ensuring complex passwords and barriers are in place before using their latest gadget.

It is possible that regulators such as the US Federal Trade Commission (FTC) may step in to stem the tide of vulnerable IoT devices, but until regulations are firmly in place, consumers are left in limbo.

The FTC issued a report last year urging IoT device makers to adopt a set of best practices to keep devices secure, but more must be done in the future to protect our connected homes.

If nothing else, make sure you change the default password on your device, if you can. Default passwords can be easily found by search engines such as Shodan, and by leaving default settings in place, you may be unwittingly inviting the interested eyes of the Web into your home.

But perhaps you should ask yourself: In a world where the Internet of Things is a fledgling industry and security is yet to catch up, do we really need a camera to enhance a baby monitor? In order to protect our privacy, is it completely outside of the realm of possibility to take a step back and downgrade some of our technology to maintain our privacy at home?

If the answer to the latter is no, then at the very least, any device connected to the Internet which can stream video or audio should not be placed in areas you would prefer to keep private.

Shodan is not the devil, but rather a messenger which should make us take responsibility for our own security in a world of webcams and mobile devices.

Explore The Internet of Things

Use Shodan to discover which of your devices are connected to the Internet, where they are located and who is using them.

See The Big Picture

Websites are just one part of the Internet. There are power plants, Smart TVs, refrigerators and much more that can be found with Shodan!

Monitor Network Security

Keep track of all the computers on your network that are directly accessible from the Internet. Shodan lets you understand your digital footprint.

Get A Competitive Advantage

Who is using your product? Where are they located? Use Shodan to perform empirical market intelligence.

A self-described security “amateur” discovered hundreds of Internet-connected devices ranging from cameras to industrial control systems that were connected to the Internet without even basic password protection — meaning they could be easily turned on and off or otherwise manipulated with a single click of a mouse.

“You would be amazed [what] you could find,” Espen Sandli, a journalist at the Norwegian newspaper Dagbladet, told the Computer Assisted Reporting conference Thursday. “The project was made from people who had no idea about data security at the start.”

They began by searching for basic security cameras, such as finding and taking control of a surveillance camera inside a nightclub. After that, they graduated to finding compromised control systems at military installations and railroads. In one case, they found a security company’s list of clients and passwords in the clear online. In another, they could have accessed who was allowed to enter or leave a military building. Another device on the open Internet could have allowed them to switch off a railway fire-alarm system.

Sandli and a colleague used the publicly available Shodan search engine, which allows searching by factors such as IP address range, device type, operating system and geography. After getting results, they used investigative reporting skills to track down device owners, including some painstaking tasks such as using Google Earth data to try to match outdoor webcams with their owners.

He said the Dagbladet team didn’t do their own port scanning (instead relying on Shodan’s) and never attempted to enter passwords, even when it was likely that devices were simply using defaults. Those ground rules were part of the project’s ethics baseline, he said. But after just a few hours, it became clear he wouldn’t need to try basic password cracking because there were so many Internet-connected devices where no passwords were needed.

The NullCtrl project team also always contacted owners of affected devices before publishing a story about one, ensuring they had time to secure or remove them.

The Dagbladet journalists consulted with lawyers in Norway to make sure the NullCtrl project wasn’t breaking any laws there.

In a discussion after Sandli’s presentation, one American investigative journalist said doing a similar project could be illegal in the U.S. if anyone crosses the threshold from looking at Shodan search results to clicking through and attempting to control a device, even one as harmless as moving a webcam to see a different view.

In Norway, the standard is that there was no malicious action taken. Advice to journalists or would-be white hat security hackers trying to undertake a similar project in the U.S.: Get your own legal advice first.

Sandli said it is his understanding that government security agencies in the U.S. have their own means of searching for unsecured critical infrastructure devices on the Internet and informing their owners of the need to beef up protection.

The Norwegian national security agency did not. But after NullCtrl, Dagbladet said, the agency made their own Shodan and started conducting proactive searches too.

Your questions and comments are greatly appreciated.

Monty Henry, Owner

Go back

Leave a Reply