IoT Security Is So Bad, There's a Search Engine For Sleeping Kids

An anonymous reader writes: Shodan, a search engine for the Internet of Things (IoT), recently launched a new section that lets users easily browse vulnerable webcams. The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores. While IoT manufacturers are to blame, this also highlights the creepy stuff you can do with Shodan these days. At the start of January, Check Point recommended companies to block Shodan's crawlers. The infosec community came to defend Shodan, and even its founder said that Shodan is uselessly branded as a tool of evil, saying that attackers have their own scanning tools.

Johnny can't encrypt

[dfn5]

Security is hard and companies have to make their video surveillance products easy enough for a socker mom to install. Frankly I'm not surprised. Nor do I have a solution. As someone who has to provide tech support to family and friends I realize how hard it is to "just make it work" for those who couldn't care less about the technical details.

Re:Johnny can't encrypt

[__aaclcg7560]

As someone who has to provide tech support to family and friends I realize how hard it is to "just make it work" for those who couldn't care less about the technical details.

If you're not charging your relatives for tech support, you're doing it wrong. The fastest way to discourage relatives is to quote the hourly rate of your local mechanic ($100 in my area). If your relatives won't pay to have a mechanic fix the car, you can bet that they won't pay to have you fix the computer.

Re:Johnny can't encrypt

[omglolbah]

Yet, for wireless routers encryption is enabled by default for most, and a sticker with the password is put on the physical device.
Why not the same for a camera?
Not a perfect solution, but a hell of a lot better than the current situation.

Re:Johnny can't encrypt

[Dutch+Gun]

Generally speaking, implementing correct security is extremely difficult, but a company that puts security as a priority can design systems that are secure by default, and strike a reasonable balance between customer ease of use and effectiveness. It doesn't have to be impossible for a soccer mom to use a device securely.

You can see the difference in two competing chat apps: Threema vs iChat. Threema is a "trust no-one" model, and requires you to actually meet face to face with a person to pre-exchange keys before you can chat with the maximum security protocol. iChat, on the other hand, "just works", relying on Apple to manage the key exchange. You're giving up a small amount of security for the convenience of a seamless experience, and trusting Apple to keep it the channel secure on your behalf.

I think most people would be fine with trusting the company they bought their devices from to actively manage the security aspects so they don't have to think too much about it, but in many cases, it's not that the security is flawed... it's completely non-existent. Anyone complaining about Shodan is simply blaming the messenger. The blame lies squarely on the companies that are selling these products with zero security in mind.

Re:Johnny can't encrypt

[AmiMoJo]

Problem with charging your relatives for support is that they will then start charging you for the same. Need a lift to the airport? Help moving house? Look after your cat for the weekend? Childcare?

Rather than becoming the black sheep of the family, just be more assertive at calling in those favours. Start the conversation with "how is your computer doing?" and end it with "so I need help moving this grand piano I bought..." You can even cash in while doing the tech support. When the call up, say you will come over, and then casually ask if they have any of that meatloaf they served the other day you could grab a slice or two of.

Re:It's a search engine for webcams

[rudy_wayne]

According to TFA, which of course no one has bothered to read:

Shodan crawls the Internet at random looking for IP addresses with open ports. If an open port lacks authentication and streams a video feed, the script takes a snap and moves on. The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place. The image feed is available to paid Shodan members at images.shodan.io. Free Shodan accounts can also search using the filter "port:554 has_screenshot:true."

Re:Let me get this straight...

Calm yourself and then understand one thing: there is no breaking in going on, here. These cameras are broadcasting this shit directly to all comers, wide open to the world. No one is "tak[ing] a hammer and break[ing] into someone's home," they're standing on the sidewalk looking into the front windows where the home builder didn't bother to install any blinds.

Re:You've made your point...now shut it down.

[Lunix+Nutcase]

Because sweeping this under the rug means bad guys won't ever attack these devices. *rolls eyes* Their point won't have been made until these *groan* IoT *groan* device making shitheads secure their crapware.

Offering data to the public Internet

[Morgaine]

An AC wrote:

People who don't secure their systems and devices are to blame for someone breaking into them?

There was no breaking in.

If you provide data to the public Internet without any form of restriction, you can't then validly complain when the Internet public sees that data. You offered it publicly, and the public took you up on your offer.

This isn't anything like breaking and entering, nor even like someone walking through a door which you left wide open. It's much more intentional on your part than that:-- you offered data to the public by creating an unrestricted access port on the Internet, your offer was accepted when someone opened that port, and then you deliberately sent your data out to that recipient. It was your choice, before and after you made the offer to the public. Nobody can force you to send your data if you don't want to. Your system wasn't hacked to change its code to something that you did not intend.

The closest analogy I can make is to imagine yourself standing on the sidewalk in the high street, an open sweet jar in one hand, and the other hand outstretched offering sweets to passers by. The highstreet is the public Internet, and your invitingly outstretched hand is the open port. If someone takes hold of the sweet, you can still prevent it from being taken by holding tightly onto the wrapper (an access restriction, perhaps you want to check that recipients are smiling first).

But if you first offer a sweet and then release it, you don't get to complain --- it was your visible intention to hand out sweets to passers by, and nobody can read your mind, only your actions. If you don't understand this then perhaps you don't grasp how Internet protocols work, and you would be best advised to stay well clear of the Internet.

You may wish that Internet protocols worked some other way, perhaps using ESP, but they don't. They work as they were defined.

Re:You've made your point...now shut it down.

[excelsior_gr]

I'm afraid I have to agree. This search engine needs to receive as much publicity as possible, not get swept under the rug. Only then, I hope, will the people become aware of how orwellian the IoT really is.

Re:Shodan *started* as a webcam search engine

That's actually incorrect. I launched the search engine with the idea of it being used to empirically gather market intelligence ("Netcraft for everything"). And the first search queries that the infosec community ran were for printers. Webcams only came around much later.