40,000 IoT Cameras Worldwide Stream Secrets To Anyone With a Browser 21
Connor Jones reports via The Register: Security researchers managed to access the live feeds of 40,000 internet-connected cameras worldwide and they may have only scratched the surface of what's possible. Supporting the bulletin issued by the Department of Homeland Security (DHS) earlier this year, which warned of exposed cameras potentially being used in Chinese espionage campaigns, the team at Bitsight was able to tap into feeds of sensitive locations. The US was the most affected region, with around 14,000 of the total feeds streaming from the country, allowing access to the inside of datacenters, healthcare facilities, factories, and more. Bitsight said these feeds could potentially be used for espionage, mapping blind spots, and gleaning trade secrets, among other things.
Aside from the potential national security implications, cameras were also accessed in hotels, gyms, construction sites, retail premises, and residential areas, which the researchers said could prove useful for petty criminals. Monitoring the typical patterns of activity in retail stores, for example, could inform robberies, while monitoring residences could be used for similar purposes, especially considering the privacy implications. "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea, and yet thousands of them are still accessible," said Bitsight in a report. "Some don't even require sophisticated hacking techniques or special tools to access their live footage in unintended ways. In many cases, all it takes is opening a web browser and navigating to the exposed camera's interface."
HTTP-based cameras accounted for 78.5 percent of the total 40,000 sample, while RTSP feeds were comparatively less open, accounting for only 21.5 percent.
To protect yourself or your company, Bitsight says you should secure your surveillance cameras by changing default passwords, disabling unnecessary remote access, updating firmware, and restricting access with VPNs or firewalls. Regularly monitoring for unusual activity also helps to prevent your footage from being exposed online.
Aside from the potential national security implications, cameras were also accessed in hotels, gyms, construction sites, retail premises, and residential areas, which the researchers said could prove useful for petty criminals. Monitoring the typical patterns of activity in retail stores, for example, could inform robberies, while monitoring residences could be used for similar purposes, especially considering the privacy implications. "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea, and yet thousands of them are still accessible," said Bitsight in a report. "Some don't even require sophisticated hacking techniques or special tools to access their live footage in unintended ways. In many cases, all it takes is opening a web browser and navigating to the exposed camera's interface."
HTTP-based cameras accounted for 78.5 percent of the total 40,000 sample, while RTSP feeds were comparatively less open, accounting for only 21.5 percent.
To protect yourself or your company, Bitsight says you should secure your surveillance cameras by changing default passwords, disabling unnecessary remote access, updating firmware, and restricting access with VPNs or firewalls. Regularly monitoring for unusual activity also helps to prevent your footage from being exposed online.
Re: (Score:1)
It says the bulletin is "non-public". I suppose that means they'll have to kill us if they told us? Maybe they are afraid the camera company(s) have dirt videos on them? Epstein Island 2.0?
Re: (Score:2)
I assume anything consumer-grade, and anything cheap, isn't secure. I would only consider IP cameras supported by OpenIPC and overwrite the firmware.
its not a secret (Score:5, Informative)
https://www.shodan.io/ [shodan.io]
has been available for years.....
Re: (Score:3)
One of our engineers did this as a side project back in 2015 in an afternoon, setup a web scraper on aws and the next day we could visit all these things. I'm pretty sure the company did a new article on this... ten years ago.
Re: (Score:3)
Yeah, there's even been an aggregator website for a decade:
http://insecam.org/ [insecam.org]
It's often broken, but "security researchers"? Come on, now.
default logins (Score:1)
When they hack all the cameras in the world- (Score:2)
Re: When they hack all the cameras in the world- (Score:2)
the cameras serve up a website (Score:2)
I wanted to replace an obsolete camera surveillance system a few months back with better cameras and a more capable NVR server so I learned what I could about the tech. You can buy a good POE camera for under $60. Hook several to a POE switch attached to your local network (which damn well better be behind your router firewall) and you can get to the feeds and record them with some open source software running on a cheap linux micro-pc; https://docs.shinobi.video/ [docs.shinobi.video]
I tried several camera brands. Hikvision, Re
Re: (Score:2)
I think most of those open cameras are open to the Internet because their owners intentionally opened ports in their routers.
Re: the cameras serve up a website (Score:1)
Re: (Score:2)
That's the problem with cheap Chinese cameras. Not singling out the Chinese, but they're well known to take a camera design and making dozens of models based on the same model and software, and making them really, really, really cheap.
Meanwhile you can spend more money for cameras that can do local storage of video, some of which can optionally upload to the cloud, and there's plenty that do triple storage - local (on-camera), local NVR, and cloud storage. Recording in 3 places means if the camera is stolen
Re: (Score:2)
>> cheap Chinese cameras
Yes, all the cameras I looked at appeared to be the derived from the same basic design. Rebranded with some minor UI changes.
Are there better cameras that you recommend?
The 2012 Carna Botnet used 420,000 nodes (Score:2)
The return of Google Hacking (Score:2)
Yahoo (Score:2)
Re: Yahoo (Score:2)
Brickerbot (Score:2)
https://en.wikipedia.org/wiki/... [wikipedia.org] is the anti-hero we need. I wish it was a government-run service -- bring your bricked device and you get a reembursement. Should be easy to check if it is was bricked by a brickerbot. Such a service should pay off easily compared to the cost of botnets.
Frigate (Score:2)
Preaching to the converted here, but...
If you've got some webcams somewhere, then consider running Frigate to 'consume' their feeds. Ideally, put all of the cameras on a private network which doesn't have any access to any other network, and then give your frigate server 2 network interfaces. If you need off-network access to the feeds, then use a VPN.
My Frigate server has a £60 USB TPU attached - it makes that little NAS, which runs a handful of other things as well, able to do AI recognition on a wh
AI and IoT - dangerous combo? (Score:2)
Just wait til AI can watch all 40k+ feeds and analyze the data in real time.