Shodan: The search engine that lets you browse vulnerable baby monitors, webcams

Shodan, a search engine for the Internet of Things, recently launched a new section that allows users to search through hundreds of video feeds from vulnerable webcams. Getty Images

Let’s pretend you have an Internet-connected home security system that features a camera pointed at your living room – a room your family often hangs out in. Now imagine that anyone, anywhere in the world is able to access that camera and see into your home.

It sounds like a nightmare – but, unfortunately, it could be reality.

Shodan, a search engine used to find so-called Internet of Things (IoT) devices, recently launched a new section that allows users to search through hundreds of video feeds from vulnerable webcams, CCTV devices and even baby monitors.

READ MORE: Internet of Things has potential but raises security, privacy issues

The feeds show everything from the front counters of convenience stores, laboratories, colleges and schools, to people’s living rooms, kitchens and baby’s asleep in their crib.

Story continues below advertisement

The images are available to members who pay to use Shodan, but those with free accounts are also able to browse a limited number of feeds.

How can people access these cameras remotely?

According to tech website Ars Technia, the cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP) Port 554 to share video – what you see on Shodan is streamed from cameras that have no password authentication in place.

“Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the new script takes a snap and moves on,” the article explains.

Additionally, home security cameras and devices like Internet-connected baby monitors are easily compromised if they have factory default access credentials that are not changed by the user, according to ESET senior security researcher Stephen Cobb.

Global News looked through some of the feeds Tuesday and saw a number of things, including a parking lot in Brazil, what appeared to be someone’s living room in Hong Kong and what looked like a gym in Poland.

Why does this search engine exist?

Privacy implications and creep factor aside, the website highlights the server security problem facing the IoT.

Story continues below advertisement

Shodan was launched in 2009 with the goal of scanning every Internet-connected device in order to find vulnerabilities and insecurities. The website is cleverly named after a malicious artificial intelligence machine found in the hit video game series System Shock.

“[Shodan] reflects a mismatch between the low level of security, and security understanding on the one hand, and the power of potential malicious actors on the other. For example, a home router tends to be the hub of the Internet of things in the home, and a lot of people are not yet familiar with how to securely configure them,” Cobb told Global News. “It’s controversial, but it certainly is an awareness raising system.”

IoT devices have been the subject of scrutiny for years – especially as stories of hackers targeting baby monitors and webcams become more common.

In July, a southwestern Ontario family called police after their baby monitor suddenly began playing music and a voice said they were being watched while one of the parents was rocking the young child to sleep in the nursery. Similarly, in April 2014, an Ohio-area family said they were woken up to hear a voice screaming at their baby to “wake up” through their baby monitor.

READ MORE: What you need to know about webcam hacking and how to prevent it

In 2013 Ars Technica published an article titled, “Meet the men who spy on women through their webcams,” depicting a bizarre online world where hackers gain access to a computer then toy its owner. In the article, hackers refer to their victims as “slaves.”

Story continues below advertisement

In January of last year, Edith Ramirez, the chairwoman of the U.S. Federal Trade Commission, warned that connected devices collect a vast trove of user information that represents “a deeply personal and startlingly complete picture of each of us.”

At the time, Ramirez urged tech companies to make data security a priority as they build new products, and called on companies to give consumers more control over how their data is used – steps privacy advocates continue to push for.

Cobb said that while greater awareness of security issues among the general public is required, he believes there needs to be greater pressure on vendors to offer better security by default.

One way to do that would be to implement regulations that force manufacturers to follow a concept like Privacy by Design, which was pioneered by former Ontario Information and Privacy commissioner Ann Cavoukian.

The concept follows seven key principles that ensure privacy protection is at the forefront of all consumer products. For example, privacy protection should be proactive not reactive, meaning measures should be in place to prevent invasions before they happen. Privacy by Design also notes that high security should be the default setting for devices, which means users shouldn’t have to work to turn on privacy or data protection features.

“Privacy by Design principles have the potential to eliminate vulnerabilities in the design phase and make it easier to maintain the privacy and security of data over the life of a device,” said Cobb.

Story continues below advertisement

“On one hand you want consumers to demand better security and on the other you want companies to make more secure products. But one day it might come down to regulations.”

How can you protect yourself?

Luckily, you can prevent yourself from ending up on a website like Shodan if you take matters into your own hands.

“If [the device] connects through your home router, that needs to be properly configured. Changing the default user name and password is a good start,” Cobb explained. “Using a strong, unique, hard-to-guess password will improve resistance to hacking. But you also need to turn off remote discovery services, something you do with your router’s configuration console.”

You should also make sure your router has the latest firmware update installed – you can check for any updates by going to the manufacturer’s website (Nexus, D-Link, etc) and check for any available downloads.

It’s also important to note that most laptops, desktop monitors and external webcams will have an indicator light showing when the camera is on. If you notice the light come on when you aren’t using the camera, it might be time to get your device looked at.


Sponsored content