Wednesday, March 21, 2012

Peep show: inside the world of unsecured IP security cameras

Peep show: inside the world of unsecured IP security cameras

If you’re in public, you’re on camera. If you walk into a coffee shop, the owner gets you at the register. Visit a larger store, and chances are they have your face as soon as you cross the threshold. At least one or two of your neighbors catch you on camera when you walk around your neighborhood, and many cities monitor traffic using red light cameras at major intersections. The question is no longer if you’re on camera, but rather how many different angles you were caught on while going about your day.
With so much monitoring taking place, and with surveillance systems gaining more online functionality every year, it’s natural that securing these systems would become... complicated. And that many many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it's possible for anyone with Internet access to watch literally thousands of cameras online using only Google and a kindergartener’s understanding of the 'Net. With a little time and patience, almost any given system, from a set of residential cameras to those used by your local police, can be accessed, viewed, and even reset if not properly secured. Of course, if you can do this, it means that anyone can do it.
Feel safer yet?

Surveillance on the Internet

Though they are relative newcomers to the surveillance market, IP cameras caught on quickly and are rapidly stealing market share and consumer preference from traditional (analog) cameras. In an analog system, all cameras need to be wired directly back to a central recording system using analog cable (typically RG-59 or RG-6 coaxial). Installation can be a financial and practical nightmare, especially on larger properties where there may be hundreds or even thousands of feet between cameras and their base station.
IP cameras often present an attractive alternative. Using the same basic technology that your computer uses, IP cameras take their own IP addresses and stream video directly onto a network without connecting to a DVR or control platform. Larger systems can integrate multiple IP cameras together using an NVR (network video recorder) that connects to and records multiple cameras at the same time. This capability can cut installation cost by literally thousands of dollars on sites where analog cameras would require long or complex cable runs.
Additionally, IP cameras frequently offer the additional benefits of higher resolution (with some models capable of 10 megapixels or more) and a more familiar platform for users to work with, meaning that they are also frequent favorites for smaller installations, too. Many forward-looking government, commercial, and even residential users are already standardizing their security on an entirely IP-based system, and most surveillance industry insiders feel this trend will continue into the foreseeable future.
Once an IP camera is installed and online, users can access it using its own individual internal or external IP address, or by connecting to its NVR (or both). In either case, users need only load a simple browser-based applet (typically Flash, Java, or ActiveX) to view live or recorded video, control cameras, or check their settings. As with anything else on the Internet, an immediate side effect is that online security becomes an issue the moment the connection goes active.
Though most NVRs require usernames and passwords for access, many individual cameras do not. An NVR can have the most advanced password imaginable, but if its remote cameras are online and unprotected, anyone with a web browser can completely bypass the system's security, no hacking required.
Regardless of where a system is installed, if it has any online presence whatsoever, it’s vulnerable. All it takes is time and some skillful Googling to gain access.
Screen capture of a common camera interface

Finding open doors

Finding IP cameras with Google is surprisingly easy. Though the information the search engine provides on the cameras themselves is typically little more than an IP address and a camera name or model number, Google still provides those who know how to ask with extensive lists of IP cameras and Web-enabled surveillance systems throughout the world.
The secret is in the search itself. Though a standard Google search typically won’t find anything out of the ordinary, pairing advanced search tags (“intitle,” “inurl,” “intext,” and so on) with names of commonly-used cameras or fragments of URLs will provide direct links to watch live video from thousands of IP cameras.
For example, a standard Google search for “Axis 206M” (a 1.3 megapixel IP camera by Axis) yields pages of spec sheets, manuals, and sites where the camera can be purchased. Change the search to “intitle: ‘Live View / - AXIS 206M,’” though, and Google returns 3 pages of links to 206Ms that are online and viewable. The trick is that instead of searching for anything related to the 206M, the modified search tells Google to look specifically for the name of the camera’s remote viewing page.
Some cameras are even easier than that. For instance, though a search for “intext:’MOBOTIX M10’ intext:’Open Menu’” will bring up direct links for M10s that are online and ready to be viewed, simply searching “Mobotix M10,” the make and model of the camera returns basically the same results. It’s just a matter of knowing which cameras are online and how their remote viewers are structured. Though some of the links will be to cameras that are password protected or to cameras that were deliberately left open for public viewing, the vast majority will belong to users who intended them to be private.
As IP cameras became more popular and this Google trick became better known, entire communities sprung up around finding and watching unsecured cameras; many larger forums (such as 4chan and SomethingAwful) have had large threads on the topic. To make access easier, members of these groups have posted pages of Google-ready search strings that grant access to dozens of different camera makes and models, meaning virtually anyone can get started with just a little effort. No technical knowledge, finesse, or prior experience needed; one need only find a list of search terms (an easy task with any search engine) and start copying and pasting into Google.
It's so easy even a freelance journalist can do it. I fired up my browser, found a list of search terms, and went exploring.

So what's out there?

With Google providing a roadmap to thousands of unsecured cameras, getting started was incredibly easy. Though my experience in the surveillance industry afforded me some familiarity with the search terms and cameras that were online, picking search strings randomly from the list would have been equally effective. The important thing is getting the link, which only takes a five-year-old’s knowledge of the Internet.
I quickly discovered that it was easy to spot cameras that were deliberately meant to be viewable, both because they had snappy names and because they were typically set up in ways that were less useful from a security perspective. It’s impossible to tell for sure, but if a camera’s Google hit was named “University Quad Cam!!!” and set up to offer a wide-angle view of an academic building from 100 feet up (practically useless for security), the intention was probably to take a nice picture, not to secure a property. By landing on these cameras over and over again, I took an interesting tour around the planet, one camera at a time.
In addition to seeing college campuses in San Francisco, Portland, and several spots in the American Midwest, I found idyllic winter scenes in Germany, Switzerland, China, and parts of Scandinavia. The time difference made this an especially nice surprise. Even though it was the middle of the afternoon in North America, I could see a beautifully lit square in Europe, with snow-topped roofs and couples meandering quietly down groomed pathways. When looking at outdoor scenes, the appeal of finding unsecured IP cameras starts to become clear; it’s kind of fun to study what’s going on in a picture and try to figure out where in the world you’re looking.
Winter scene, somewhere in Europe
For example, while watching one camera offering a wide-angle view of a public square, the snow, the architecture, and the fact I was looking at a night scene at 3pm (my time) led me to believe I was connected somewhere in Europe. Seeing the displays behind the large plate-glass windows told me that I was looking at a shopping area of some sort, and after awhile I realized there were a fair number of people walking around the square, leading me to guess that it was still early in the evening there. I had just come to the conclusion that I was looking at somewhere in western Europe when I noticed a Swiss flag flying from one of the buildings, which validated my inference (though it also rendered my junior detective work obsolete). Still, I enjoyed the mental exercise and it made watching cameras more like solving a puzzle than doing something illicit.
This was particularly true for the cameras with Pan \ Tilt \ Zoom (PTZ) functionality, which allow users to zoom and move cameras to explore a site. PTZ functionality allows security staff to look around a sensitive area without physically being there, but when one is left unsecured, it becomes a toy for the Internet. Not only could I look around an area to gain more clues as to where I was, but I could also zoom in to read signs or watch activity. Though PTZ cameras are a little more difficult to find, I still got to use them to explore a construction site and a few large business properties as well, though for the most part these were just parking lots and loading areas.
Working down my list of Google strings I found a few surprises as well, which served to confirm that literally everything is online. I found two cameras installed in aquariums, one stocked with nothing but piranhas (though I guess it may have held other fish originally...) and another fully stocked community tank at a large public aquarium. This second tank had huge schools of fish and even sea turtles swimming around, and actually became a favorite of mine that I returned to several times.
A large aquarium
I was also able to find a feed from a set of eight live porn cameras, which of course occurred while my fiancée was sitting next to me on our couch, before I had mentioned I was working on this article. This showed me that accessing unsecured IP cameras was dangerous in ways I hadn’t expected.
Though accessing public cameras can be fun and is essentially harmless, it’s impossible to divorce the voyeuristic aspects of Googling cameras from the innocent ones. Because the majority of the cameras the engine finds are meant for surveillance, most of what’s out there is being used in security applications and is not meant to be seen by others.
This hit home quickly as I worked through my list of search strings and found myself watching daily events at businesses around the world. Though jewelry stores typically use the top tier of surveillance and security gear (and therefore secure it better), I was able to find several boutique stores around the world and watch as customers browsed display cases full of gold and silver. Although just looking at a store online couldn’t cause any harm, knowing when the store is occupied or empty could prove useful to a burglar looking for an easy target, especially if one was able to narrow down where the store was (not a huge stretch with the camera’s IP address to trace).
A jewelry store
At one point I found a hardware store and watched as two staff members worked behind a counter. After a few moments, one happened to empty a cash register and walk off-camera with the money, which allowed me to deduce a general location of the business’ safe. The same was true when I found a small toy store; though only one staff member was visible on camera, he was talking to someone off-camera. At the very least it implied that he wasn’t alone, but it might also have also hinted at the number of staff members who work in the store at a given time. That came up again when I found a camera monitoring a production line at a distillery and watched as several people tagged and boxed bottles of liquor. Learning about the daily ins and outs of all of these businesses was just a matter of patient observation.
In addition to the retail businesses I accessed, I was also able to find a doctor’s office somewhere in Asia and, perhaps most surprising, a set of three red-light cameras that I pinpointed to an intersection in eastern Texas (not much of a challenge since the cameras gave me the streets’ names). Although I was only watching the video, the fact was that I had accessed a set of public security cameras that were left wide open for anyone to get in. Once a camera has been accessed in this way, someone with the time and inclination could possibly get into the cameras’ admin settings to move it (if it was a PTZ) or even change the triggering settings to prevent it from capturing images when it was supposed to do so.
A red light camera
Googling for unsecured IP cameras is a mixed bag. Though I found some beautiful scenes that were probably intended to be public, I also gained free access to businesses and at least one government system. I'll never know why these cameras were left open in this way, but because closing them off to the Internet is just as simple as accessing them, it's an easy situation to remedy.

Locking the Internet out

Regardless of the makes or models of their cameras, administrators can easily lock unauthorized users out of their cameras simply by enabling the onboard security that DVRs, NVRs, and IP cameras come with and by changing their default usernames and passwords (especially important since the default combinations are easily available on manufacturers' websites). The specific ways to do this vary from system to system, but the method is always covered in the manual. Spending the extra ten minutes to enable and customize security settings is literally all it takes. Google may still be able to find them, but no one will be able to actually gain access, and the site that the cameras are meant to protect will be invisible to others.
Still, as those who are reading this article on their neighbor’s unsecured wireless network can tell us, there will always be users who just don’t bother to read the manual or who just never get around to setting up even basic security, so there will also be those who make a hobby of finding and watching these cameras. If you leave your blinds wide open, you really shouldn’t be surprised when you discover someone looking through your windows.

No comments:

Post a Comment