In case you needed a reminder to secure your IP security cameras with a strong password, a new feature of the Shodan IoT search engine should do the trick.
By typing “has_screenshot: true port 554” while logged into the search engine, users can now see screenshots from vulnerable webcams around the world. Ars Technica reportsthat the new search filter was first spotted by security researcher Dan Tentler, who often tweets links to cameras and other insecure IoT devices surfaced by Shodan.
For vulnerable webcams, the problem lies in the use of the Real Time Streaming Protocol on an open port with no password protection. When Shodan finds one of these cameras, it indexes the IP address, camera details, and other information, along with a screenshot. A quick look through the search results shows plenty of images that clearly should be private, including living rooms, offices, and bars. (A one-time $49 charge provides access to a running image feed at images.shodan.io.)
Shodan itself has been around since late 2009, indexing details on all kinds of Internet-connected devices that are beyond the purview of a traditional search engine such as Google. It’s pitched mainly as a security research tool and a way for businesses to monitor connected device usage, but it has also exposed controls to utilities, heating and cooling units, and traffic systems. We reported on the vulnerabilities it can expose back in 2014.
Why this matters: Shodan’s new webcam-snooping feature raises more questions about who is responsible for keeping IoT devices secure. Some of the blame lies with consumers, who are often overconfident about the security of their connected devices. But as Ars points out, vendors aren’t doing much to help with that problem, as they race to the bottom on price, neglect security, and gloss over the risks of using their products. If nothing changes, we may see government regulators clamp down on insecure devices; maybe they’ll be able to use Shodan as an enforcement tool.