Shodan, a specialty search engine that many Internet users have never even heard of, now has a section dedicated to unsecured webcams.
The new section features a list of unsecured webcams that Shodan has found and includes information like the IP of each device, a rough physical location, and a screenshot taken at the time that Shodan found the webcam. With this information, users are able to load the webcam and view a live stream without the knowledge of the device’s owner.
Even a cursory glance through Shodan’s search results reveals webcams aimed at subjects as diverse as parking lots, living rooms, intersections, and even bedrooms.
The reason that Shodan is able to find these devices, and that users of the search engine are able to surreptitiously view video streams, is that the webcams featured in the section are not secured. In some cases, that means the owner of the vulnerable webcam or IP cam connected it to the Internet and didn’t set a password. In other cases, the device may have default security settings, like a default username and password, that can be easily found via a conventional search engine.
Ars Technica has referred to Shodan as “a search engine for sleeping kids.” That is hyperbole, as Shodan wasn’t designed to be a “search engine for sleeping kids,” or even as a search engine for webcams in general, but intentions mean very little when Shodan can literally be used to find unsecured webcams that well-meaning parents have aimed at their sleeping children.
To drive the point home, Ars Technica even provides some still images of sleeping children obtained via the Shodan search engine.
For those who aren’t familiar with search engines like Shodan, or the Internet of Things in general, Shodan is an Internet of Things search engine. That means Shodan crawls the Internet of Things, which consists of physical devices that are connected to the Internet, instead of indexing websites and related documents like Google, Yahoo, Bing, and other conventions search engines.
According to Network World, Shodan has taken heat in the past from the information security world. Earlier this year, security firm Checkpoint Software Technologies issued a threat alert against Shodan. Rather than urging manufacturers of devices like webcams to adequately secure their products, or to include features that force owners to set strong passwords, CheckPoint suggested that manufacturers simply block Shodan’s ability to index them.
As Network World pointed out, that approach might prevent a device from showing up on Shodan, but the device will still be vulnerable to anyone who is able to find, or even guess, the correct IP address.
This problem isn’t new, either. Shodan has been around for years, and device manufacturers have known about it, and other methods of obtaining the IP addresses of unsecured webcams, for just as long. In fact, the FTC even sanctioned one webcam manufacturer in 2013 over the issue of unsecured webcams.
Speaking to Ars Technica, security researcher Dan Tentler suggested the problem has only grown worse since then, and that there are now millions of unsecured devices out there waiting to be discovered by Shodan and similar search engines.
Although Shodan isn’t new, and the ability to search for unsecured webcams isn’t new, what is new is the feed that Shodan has created for paying users. The new feed consists of webcams that stream video, have an open port, and don’t require any authentication, which is how Shodan is able to snap screenshots in the first place. These webcams all employ the Real Time Streaming Protocol (RTSP) on port 554, which is what makes them so easy to discover.
While the new feed is only available to paying members, users with free accounts can take advantage of the lax security of device manufacturers to locate vulnerable webcams via Shodan’s normal search interface. According to Ars Technica, running a query on Shodan with the filter “port:554+has_screenshot:true” returns a list of unsecured webcams complete with screenshots.
At the current time, more than 1,300 webcams can be found via this method.
Concerned owners of webcams and IP cams that are capable of streaming video have a very simple solution to avoid showing up on Shodan, which will also prevent anyone from secretly accessing their webcam. Rather than simply connecting a device and calling it good, or even using the default password, setting a unique, strong password will secure the device and prevent it from showing up in this type of Shodan search.
Do you think that Shodan is culpable for exposing all of these unsecured webcams, are the manufacturers at fault, or should people just be more careful when setting up their own devices?
[Screencaps via Shodan]