Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams.
The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.
"It's all over the place," he told Ars Technica UK. "Practically everything you can think of."
We did a quick search and turned up some alarming results:
The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true.
Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.
While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are going to do to fix the problem.
Of course insecure webcams are not exactly a new thing. The last several years have seen report after report after report hammer home the point. In 2013, the FTC sanctioned webcam manufacturer TRENDnet for exposing “the private lives of hundreds of consumers to public viewing on the Internet.” Tentler told Ars he estimates there are now millions of such insecure webcams connected and easily discoverable with Shodan. That number will only continue to grow.
Read More
The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security.
"It's all over the place," he told Ars Technica UK. "Practically everything you can think of."
We did a quick search and turned up some alarming results:
The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter port:554 has_screenshot:true.
Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on.
While the privacy implications here are obvious, Shodan’s new image feed also highlights the pathetic state of IoT security, and raises questions about what we are going to do to fix the problem.
Of course insecure webcams are not exactly a new thing. The last several years have seen report after report after report hammer home the point. In 2013, the FTC sanctioned webcam manufacturer TRENDnet for exposing “the private lives of hundreds of consumers to public viewing on the Internet.” Tentler told Ars he estimates there are now millions of such insecure webcams connected and easily discoverable with Shodan. That number will only continue to grow.
Read More
Comments
Post a Comment