Unsecured IP Cameras Accessible To Everyone

Orome1 writes "In the last couple of decades, we have become so accustomed to the idea that the public portion of our everyday life is watched and recorded — in stores, on the street, in institutions — that we often don't even notice the cameras anymore. Analog surveillance systems were difficult to hack into by people who lacked the adequate knowledge, but IP cameras — having their own IPs — can be quite easily physically located and their stream watched in real-time by anyone who has a modicum of computer knowledge and knows what to search for on Google."

Nice one

[Peach+Rings]

Good find 2002.

Re:Nice one

[Solid+StaTe_1]

from 2005... but whatever. it's old news

http://it.slashdot.org/article.pl?sid=05/01/09/1411242

Re:Nice one

[PatPending]

Yeah, and then there is this one from 2007 (Thieves Hacking Security Cameras). By far, this is the most informative post of the lot--a comprehensive list of searches.

Re:Nice one

[goodmanj]

Here's the deal though: if it's been six years and nobody's bothered to close these security holes --- and the searches still work, I just tried --- then *THAT* is news.

Finding a security exploit is not big news. Leaving a security hole unfixed for six years *is* big news, especially if it's done by companies for whom "security" is literally their middle name.

Re:Nice one

[Dunbal]

We found one on a passenger jet over NYC but that didn't turn out so well.

Re:Nice one

[Local+ID10T]

Here's the deal though: if it's been six years and nobody's bothered to close these security holes --- and the searches still work, I just tried --- then *THAT* is news.

Finding a security exploit is not big news. Leaving a security hole unfixed for six years *is* big news, especially if it's done by companies for whom "security" is literally their middle name.

Who says its a security hole?

Do I care if the entire world can look thru my camera? Does it in any way effect the operation of the camera or of the security system attached to it? No.

Now if the camera is pointed at something I don't want the rest of the world to see... maybe I should have sprung for a system that at least requires a password...

Re:Nice one

[cusco]

Does it in any way effect the operation of the camera or of the security system attached to it?

Actually it does. Most cameras have a limit of how many simultaneous connections are allowed. Exceed that limit and the owner might have to reboot the camera in order to access their own video feed. Bad news if that camera's looking at the door of your emergency room or your unmanned warehouse half a continent away.

Re:Nice one

[Peach+Rings]

Me too, mine was even aimable with a little javascript control. Got a really good close up of the second tower.

Re:Nice one

[hairyfeet]

But how many are gonna actually want to spend any time staring at these things? Most of us here have tried that VERY old trick and found out the insidious truth...that most of these things are about as exciting as watching paint dry. Just for the hell of it when I saw TFA I did the usual old tricks and out of 30 or so cams I checked out the most exciting thing I saw was a guy turn his snowmobile around in a parking lot. Woo hoo!

Frankly there isn't a point in securing 99.999% of these things because they are just another boring connection. And for those that talk about "man in the middle attacks"? Oh please, you watch too much CSI. I have had to set a few cams up for businesses and what you catch on them is crackheads looking for anything that ain't nailed down, and as anyone who has ever encountered a crackhead knows they ain't exactly intelligent creatures. Hell most would be lucky to figure out how to even use a PC because their first instinct when handed one would be to pawn it.

So lets not make this out to be some big failure of IT when its not. Cameras pointed at places that actually require security have security on the cams for the most part while all these cams you'll find on the net are ones like the cam watching Bob's tire hut to keep the crackheads from trying to steal the compressors. So if watching the parking lot of Bill's pawn shop excites you, hey who am I to judge, but it isn't like these things are a big secret or even need security. After all how many are gonna want to spend any time at all watching a gravel driveway or some fence?

Also on Ars Technica

[Max+Romantschuk]

Ars Technica did a nice piece on this too:
http://arstechnica.com/gadgets/guides/2011/01/one-mans-journey-through-the-world-of-unsecured-ip-surveillance-cams.ars

Worth a read.

This is so old.

[Securityemo]

And there's lots of other things you can find. Here are some lists: http://www.hackersforcharity.org/ghdb/

Re:I've hacked into...

[JonySuede]

so you like to hack into gay bar to watch penises, as they says : each to is own !

tons of cams are available.

[Zurk]

heres a long list copied from various parts of the web for searches you can try :

allintitle: "Network Camera NetworkCamera" Network cameras
intitle:Axis 2400 video server Mostly security cameras, car parks, colleges, clubs, bars, etc.
intitle:axis intitle:"video server" Mostly security cameras, car parks, colleges, bars, ski slopes etc.
intitle:"EvoCam" inurl:"webcam.html" Mostly European security cameras
intitle:"Live NetSnap Cam-Server feed" Network cameras, private and non private web cameras
intitle:"Live View / - AXIS" Mostly security cameras, car parks, colleges etc.
intitle:"LiveView / - AXIS" | inurl:view/view.shtml Mostly security cameras, car parks, colleges etc.
intitle:liveapplet Mostly security cameras, car parks, colleges, clubs, bars etc.
intitle:snc-cs3 inurl:home/ Mostly security cameras, swimming pools and more etc.
intitle:"snc-rz30 home" Mostly security cameras, shops, car parks
intitle:snc-z20 inurl:home/ Mostly security cameras, swimming pools and more etc.
intitle:"WJ-NT104 Main" Mostly security cameras, shops, car parks
inurl:LvAppl intitle:liveapplet Mostly security cameras, car parks, colleges etc.
inurl:indexFrame.shtml "Axis Video Server" Mostly security cameras, car parks, colleges etc.
inurl:lvappl A huge list of webcams around the world, mostly security cameras, car parks, colleges etc.
inurl:axis-cgi/jpg Mostly security cameras
inurl:indexFrame.shtml Axis Mostly security cameras, car parks, colleges etc.
inurl:"MultiCameraFrame?Mode=Motion" Mostly security cameras, pet shops, colleges etc.
inurl:/view.shtml Mostly security cameras, car parks, colleges etc.
inurl:/view/index.shtml Mostly security cameras, airports, car parks, back gardens, traffic cams etc.
inurl:viewerframe?mode= Network cameras, mostly private webcams etc.
inurl:"viewerframe?mode=motion" Network cameras
inurl:ViewerFrame?Mode=Refresh Mostly security cameras, parks, bird tables etc.

Other searches:
control/userimage.html liveapplet inurl:indexframe.shtml inurl:"view/index.shtml" inurl:"view/indexFrame.shtml" inurl:view/view.shtml
inurl:/view/view.shtml?videos= inurl:ViewerFrame?Mode= inurl:ViewerFrame?Mode=Motion inurl:ViewerFrame?Mode=Refresh site:.viewnetcam.com -www.viewnetcam.com /view/index.shtml

In Title:
intitle:"live view" intitle:axis
intitle:"EvoCam" inurl:"webcam.html"
intitle:"i-Catcher Console - Web Monitor"
intitle:"Live NetSnap Cam-Server feed"
allintitle:liveapplet
intitle:liveapplet
intitle:"netcam live image"
intitle:"snc-rz30 home"
intitle:"WJ-NT104 Main"

In URL:
inurl:axis-cgi/jpg
inurl:indexFrame.shtml Axis
inurl:indexFrame.shtml "Axis Video Server"
inurl:lvappl live webcams
inurl:LvAppl intitle:liveapplet
inurl:"MultiCameraFrame?Mode=Motion"
inurl:/view:shtml
inurl:/view/index.shtml
inurl:view/indexframe.shtml
inurl:view/view.shtml
viewerframe?mode=
inurl:"viewerframe?mode=motion"
inurl:ViewerFrame?Mode=Refresh

Two searches in one order:
intitle:"live view" intitle:axis (two searches in one order)
intitle:axis intitle:"video server"
intitle:liveapplet inurl:LvAppl
intitle:"Live View / - AXIS" | inurl:view/view.shtml
intitle:start inurl:cgistart

Combination:
camera linksys inurl:main.cgi
Display Cameras intitle:"Express6 Live Image"
intitle:"active webcam page"
intitle:"EvoCam" inurl:"webcam.html"
inurl:LvAppl intitle:liveapplet
intitle:"Live View / - AXIS"
intitle:liveapplet inurl:LvAppl
intitle:"my webcamXP server!" inurl:":8080"
intitle:"Network Camera" inurl:ViewerFrame
intitle:snc-z20 inurl:home/
intitle:snc-rz30 inurl:home/
intitle:"toshiba network camera - User Login"
intitle:"Live View / - AXIS" | inurl:view/view.shtml
tilt intitle:"Live View / - AXIS" | inurl:view/view.shtml
intitle:"WJ-NT104 Main Page"

Sometimes your order gives hundreds of URLs. You can restrict your search by adding a country, a specialized URL or another mes

Re:tons of cams are available.

[cusco]

Just an FYI, as someone who does this for a living, most of our competition leaves their cameras at the factory default usernames and passwords. Try root, admin or Admin as usernames, and root, admin, pass, 1234, 12345 or just plain blank as passwords. Some of the manufacturers are getting a clue and requiring a password be created on first login in the newer firmware, but most of these bozos are just putting in the old factory default again.

Glad I work for one of the few security companies that doesn't have its head up its collective ass. I'd really hate working for one of the Big Three.

Re:tons of cams are available.

[Securityemo]

I've never done this sort of work, but I suppose they operate on or have degenerated to the principle "if we just keep telling the management what they want to hear and don't expose too much incompetence in the IT staff we get paid with a minimum of fuzz, even if we could technically fix this"?

How do you guys handle situations like that? Ever had any problems when actually telling the management/client? Or is it all cool and professional?

Re:tons of cams are available.

[hedwards]

Because then they can figure out ways of obscuring themselves more effectively. Which is the problem, additionally you frequently run into dome cameras where you're not sure where exactly they're pointed. With practice you can see very quickly, but it's a bit of a risk.

Re:tons of cams are available.

[cusco]

Essentially I tell my boss, and he talks to their boss. Normally we can do most of our own work on the end points without too much trouble (servers, cameras, access control panels, etc.), and I go out of my way to let them know that I'll be as flexible as they need and want to inconvenience them as little as possible. Works most of the time.

Not always though. We have one customer where I just plain can't talk to the network admins directly because I inadvertantly showed them up as a clot of incompetent lazy-ass fuck-ups. I'm not terribly good dealing with those kinds of people, so this arrangement works better. The project manager can tell their PM "We need x-many IP addresses for that site by the first of next month" and we'll get them by the fourteenth.

Note to self: When the network admins say "can't be done" don't point out in front of their boss's boss that you've already done it three other places and you're not even a CCNA.

Re:tons of cams are available.

[dbIII]

That often come down to "it was somebody else's incredibly stupid idea I argued against and when it breaks we can have something sensible". Childish but understandable. The responsible thing to do is have unauthorised backups for when such pet projects die instead of just ignoring them. Without a decent boss and a long history of trust in your workplace this can land you in deep shit if discovered, but the shit could be deeper if you don't do it, the pet project breaks and the owner of the pet project doesn't have a clue how to deal with it.
Of course authorised backups are better but I'm talking about the sort of fuckups where office politics do not allow it. Then there's the "we have RAID5, doing backups is a waste of time" idiots. If you can't win that argument unauthorised backups might be the only way to save your job when the system dies and you are called on the carpet for not arguing hard enough for backups.
When I say "unauthorised" I really mean going over the head of the people running the pet projects. It's important that someone towards the top of management knows where all the backups are in case of a disaster where the normal IT staff cannot physically get there. A manager that sleeps better at night knowing all vaguely important digital information has an offsite backup tends not to lash out like a cut snake when important systems die.

Cameras Everywhere

[NReitzel]

At the University where I work, there are cameras in all of the lobby areas and in many of the labs. They are publicly accessible, for the most part - non-port 22 but otherwise unsecured. However, because the University wants to be able to use the pictures in legal proceedings, all the camera areas are clearly marked with "Video Surveillance" stickers.

I can't speak for anyone else, but it's not that hard to just not do funky things in these areas.

Yes, it intrudes on my sphere, but I have no expectation of privacy at work, or on the street. If I want to do something private, I go somewhere private. It's not that much of a burden, at least to me.

Re:Cameras Everywhere

[Jah-Wren+Ryel]

Yes, it intrudes on my sphere, but I have no expectation of privacy at work, or on the street. If I want to do something private, I go somewhere private. It's not that much of a burden, at least to me.

What happens when cameras - and the databases behind them - become so pervasive that you can't go anywhere without a permanent record being made?
Its one thing for some people on the street to see you walk to the corner drug store and buy a pack of condoms.
Its an entirely different thing for that to be recorded and cross-indexed with everything else you've done outside of your home.

Re:I've hacked into...

[fridaynightsmoke]

so you like to hack into gay bar to watch penises, as they says : each to is own !

What a dick. If they find out, he's screwed.

Aggregator

[symes]

Someone has a whole list of open webcams: http://www.opentopia.com/hiddencam.php

My local red light cameras

[www.sorehands.com]

Now all I need is to have the IP address of my local red light and speed cameras.

Of course, I would never have any fun and do something like, changing the time, moving the camera, replacing drivers' faces with pictures of say, maybe Osama Bin Laden, Benjamin Franklin, or the president.

Re:My local red light cameras

[jgagnon]

Not if he hacked into it from your house. :p

where is the google mashup?

In 2011 I would expect to see a mashup showing a map with all the locations of the IP addresses that allows you to click and view

Old news

[HomelessInLaJolla]

Since I first arrived in La Jolla, CA (92037) and noticed the little black domes darn near everywhere I theorized that, whether or not different subcontractors manage the security contract for any individual location, there is some overseer--either official or sitting on a network intersection--who has access to all of them. They probably have a FPS/MMORPG type interface which they are able to use to follow any particular person around should any particular person happen to catch their special interest. Given that there is such a large number of retired, semi-retired, lucratively employed-at-home, or otherwise fantastically wealthy with nothing else to do, people in this area it does not strike me as at all odd that I rarely have more than five seconds of peace in any location before people begin arriving to poke their noses or just hover around. What would it take? One fantastically wealthy person with a security clearance, fifty or one hundred people (as few as fifteen would probably do) employed underneath them, and rotating access to rental cars/used car lots to keep up a decent ruse? Combine that with the local residents and office dwellers who could be recruited to "call us any time you see one of these people" (mostly homeless).

On many occasions it just seemed to be all too coincidental that as I headed from point A to point B that there were people at point B just waiting for me. Coincidence, sometimes; coincidence, sometimes; coincidence, sometimes... but after five years it cannot possibly be random cosmological coincidence _ALL_ of the time.

Imagining a society of harassment is not at all difficult. Since the wealth distribution is so ridiculously skewed and since those who have the wealth have had a demonstrated interest in maintaining their artificial superiority since the book of Genesis ("There's going to be a famine in the land... You should do what we tell you to do") it is hardly unreasonable to expect that the wealthy will devote some portion of their time and effort to following and sabotaging any of the financially enslaved who happen to challenge their superiority. Now we have near complete camera coverage of entire cities to assist that.

Go ahead. Tell me that the fantastically wealthy, having such resources available to them (legally, illegally, with or without the owner's knowledge... hardly a consideration for the people who sign your paychecks, the paychecks of the politicians, the paychecks of the judges, etc.), would not use them.

Re:Old news

[jafiwam]

Jared Lee Loughner? Welcome to Slashdot. They gave you access to the net?

City Denies Citizen Access Over Webcam Use

[HTH+NE1]

My city has several cameras around the city available for access at the city's taxpayer-funded website. I decided to use them once to create some time-lapse video of the wax and wane of winter weather. One day, suddenly I couldn't access the cams anymore. Or the entire website. They unilaterally decided that I was using too much of their bandwidth and dropped my IP into a configuration file to disable my access, expecting me to go to them to get my access reinstated. Of course, all information on how to contact them was on their now-restricted website.

The amount of data transferred was less than 1 DVD a month. It wasn't that the usage was excessive; it was that my usage was an identifiable spike. But instead of limiting how often you can pull frames from the cameras (I used 1 every 30 seconds, sub-SD resolution, in greyscale, but from every camera), they instead decided to lock me out. (They also say they don't retain the video they record.)

Unfortunately, since I was grabbing these still images using my machine at work, and others at work were just monitoring the cameras in preparation for travel home, they saw it as coming from multiple IPs in the same subnet and blocked the company's entire IP range, which became a problem when the head of HR was needing to do background checks on some potential new hires on the city website.

Now if I want to do time-lapse videos of traffic cams again, I'm going to have to do it from home and through Tor so they can't identify one IP block. Even though there's some nice snowfall patterns recently, it just isn't worth the effort/hassle to satisfy my creative curiosity now.