January 27, 2011

Unsecured IP security cameras

Easy Connect Wireless IP cameraImage via Wikipedia
An interesting article on the latest security hole in video surveillance:

Surveillance systems are gaining more online functionality every year. Because so many cameras and surveillance systems are completely open, it's possible for anyone with Internet access to watch literally thousands of cameras online using only Google. With a little time and patience, almost any given system, from a set of residential cameras to those used by your local police, can be accessed, viewed, and even reset if not properly secured.

Though they are relative newcomers to the surveillance market, IP cameras caught on quickly and are rapidly stealing market share and consumer preference from traditional (analog) cameras.

IP cameras often present an attractive alternative. Using the same basic technology that your computer uses, IP cameras take their own IP addresses and stream video directly onto a network without connecting to a DVR or control platform.

Once an IP camera is installed and online, users can access it using its own individual internal or external IP address, or by connecting to its NVR (or both). In either case, users need only load a simple browser-based applet (typically Flash, Java, or ActiveX) to view live or recorded video, control cameras, or check their settings.

Regardless of where a system is installed, if it has any online presence whatsoever, it’s vulnerable. All it takes is time and some skillful Googling to gain access.

Finding IP cameras with Google is surprisingly easy. Though the information the search engine provides on the cameras themselves is typically little more than an IP address and a camera name or model number, Google still provides those who know how to ask with extensive lists of IP cameras and Web-enabled surveillance systems throughout the world.

Some cameras are even easier than that. For instance, though a search for “intext:’MOBOTIX M10’ intext:’Open Menu’” will bring up direct links for M10s that are online and ready to be viewed, simply searching “Mobotix M10,” the make and model of the camera returns basically the same results. It’s just a matter of knowing which cameras are online and how their remote viewers are structured. Though some of the links will be to cameras that are password protected or to cameras that were deliberately left open for public viewing, the vast majority will belong to users who intended them to be private.
As IP cameras became more popular and this Google trick became better known, entire communities sprung up around finding and watching unsecured cameras; many larger forums (such as 4chan and SomethingAwful) have had large threads on the topic.

Regardless of the makes or models of their cameras, administrators can easily lock unauthorized users out of their cameras simply by enabling the onboard security that DVRs, NVRs, and IP cameras come with and by changing their default usernames and passwords (especially important since the default combinations are easily available on manufacturers' websites). The specific ways to do this vary from system to system, but the method is always covered in the manual.

Still, as those who are reading this article on their neighbor’s unsecured wireless network can tell us, there will always be users who just don’t bother to read the manual or who just never get around to setting up even basic security, so there will also be those who make a hobby of finding and watching these cameras.

read the full article here
Enhanced by Zemanta
Post a Comment