A website that searches the “Internet of Things” has added a search facility for unsecured webcams. The operators say its designed to highlight security risks rather than enable voyeurs or would-be criminals.
Shodan is designed for searching for details of devices, both computers and other devices from smart TVs to power plants, that are connected to the Internet. For the most part its designed for a combination of curiosity and checking the status of your own devices and networks.
It’s now added a feed that’s created by visiting random IP addresses and looking to see if port 554 is open and allowing access without authorization details. Port 554 is commonly used for the Real Time Streaming Protocol, which can be used both for online video and streaming from security and other monitoring cameras. In the latter case some form of password protection is a very smart idea, but often overlooked.
Any time Shodan finds an unprotected camera, it takes a screenshot and adds it to the feed. The image is accompanied by the IP address, rough location, and any technical details available. To minimize any risks, the site delays publishing the image for around 18 hours.
In theory the feed is only available to Shodan’s premium service users, though Arstechnica notes it can also be used by free (registered) users by simply searching for “port:554 has_screenshot:true” albeit with a limit of five pages of results (fifty shots.)
To be fair, the feed is pretty mundane stuff as you scroll through, with a lot of shots of empty parking lots and roofs. However, a fair proportion are pictures of the inside of people’s homes. Arstechnica reports that some shots are of feeds which very much should not be publicly available, including private rooms in banks, pictures of marijuana farms, schoolrooms in use, shots of sleeping children, and one unfortunate man sat on the toilet with a bathroom door open.
A group of security researchers under the name “I Am The Cavalry” is proposing a set of security standards for connected devices, with measures including a ban of standardized, non-random default passwords; encryption for all communication between devices; and an assumption that any network is unsecure, meaning the device needs its own layer of protection.