Peep show: inside the world of unsecured IP security cameras
If you’re in public, you’re on camera. If you walk into a coffee shop, the owner gets you at the register. Visit a larger store, and chances are they have your face as soon as you cross the threshold. At least one or two of your neighbors catch you on camera when you walk around your neighborhood, and many cities monitor traffic using red light cameras at major intersections. The question is no longer if you’re on camera, but rather how many different angles you were caught on while going about your day.
With so much monitoring taking place, and with surveillance systems gaining more online functionality every year, it’s natural that securing these systems would become… complicated. And that many many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it’s possible for anyone with Internet access to watch literally thousands of cameras online using only Google and a kindergartener’s understanding of the ‘Net. With a little time and patience, almost any given system, from a set of residential cameras to those used by your local police, can be accessed, viewed, and even reset if not properly secured. Of course, if you can do this, it means that anyone can do it.
?Feel safer yet?
Surveillance on the Internet
Though they are relative newcomers to the surveillance market, IP cameras caught on quickly and are rapidly stealing market share and consumer preference from traditional (analog) cameras. In an analog system, all cameras need to be wired directly back to a central recording system using analog cable (typically RG-59 or RG-6 coaxial). Installation can be a financial and practical nightmare, especially on larger properties where there may be hundreds or even thousands of feet between cameras and their base station.
IP cameras often present an attractive alternative. Using the same basic technology that your computer uses, IP cameras take their own IP addresses and stream video directly onto a network without connecting to a DVR or control platform. Larger systems can integrate multiple IP cameras together using an NVR (network video recorder) that connects to and records multiple cameras at the same time. This capability can cut installation cost by literally thousands of dollars on sites where analog cameras would require long or complex cable runs.
Additionally, IP cameras frequently offer the additional benefits of higher resolution (with some models capable of 10 megapixels or more) and a more familiar platform for users to work with, meaning that they are also frequent favorites for smaller installations, too. Many forward-looking government, commercial, and even residential users are already standardizing their security on an entirely IP-based system, and most surveillance industry insiders feel this trend will continue into the foreseeable future.
Once an IP camera is installed and online, users can access it using its own individual internal or external IP address, or by connecting to its NVR (or both). In either case, users need only load a simple browser-based applet (typically Flash, Java, or ActiveX) to view live or recorded video, control cameras, or check their settings. As with anything else on the Internet, an immediate side effect is that online security becomes an issue the moment the connection goes active.
Though most NVRs require usernames and passwords for access, many individual cameras do not. An NVR can have the most advanced password imaginable, but if its remote cameras are online and unprotected, anyone with a web browser can completely bypass the system’s security, no hacking required.
Regardless of where a system is installed, if it has any online presence whatsoever, it’s vulnerable. All it takes is time and some skillful Googling to gain access.
Finding open doors
Finding IP cameras with Google is surprisingly easy. Though the information the search engine provides on the cameras themselves is typically little more than an IP address and a camera name or model number, Google still provides those who know how to ask with extensive lists of IP cameras and Web-enabled surveillance systems throughout the world.
The secret is in the search itself. Though a standard Google search typically won’t find anything out of the ordinary, pairing advanced search tags (“intitle,” “inurl,” “intext,” and so on) with names of commonly-used cameras or fragments of URLs will provide direct links to watch live video from thousands of IP cameras.
For example, a standard Google search for “Axis 206M” (a 1.3 megapixel IP camera by Axis) yields pages of spec sheets, manuals, and sites where the camera can be purchased. Change the search to “intitle: ‘Live View / – AXIS 206M,’” though, and Google returns 3 pages of links to 206Ms that are online and viewable. The trick is that instead of searching for anything related to the 206M, the modified search tells Google to look specifically for the name of the camera’s remote viewing page.
Some cameras are even easier than that. For instance, though a search for “intext:’MOBOTIX M10’ intext:’Open Menu’” will bring up direct links for M10s that are online and ready to be viewed, simply searching “Mobotix M10,” the make and model of the camera returns basically the same results. It’s just a matter of knowing which cameras are online and how their remote viewers are structured. Though some of the links will be to cameras that are password protected or to cameras that were deliberately left open for public viewing, the vast majority will belong to users who intended them to be private.
As IP cameras became more popular and this Google trick became better known, entire communities sprung up around finding and watching unsecured cameras; many larger forums (such as 4chan and SomethingAwful) have had large threads on the topic. To make access easier, members of these groups have posted pages of Google-ready search strings that grant access to dozens of different camera makes and models, meaning virtually anyone can get started with just a little effort. No technical knowledge, finesse, or prior experience needed; one need only find a list of search terms (an easy task with any search engine) and start copying and pasting into Google.
It’s so easy even a freelance journalist can do it. I fired up my browser, found a list of search terms, and went exploring.