Wednesday, February 16, 2011

Security cameras may not be so secure after all!


I was intrigued to read an article about how vulnerable security camera feeds are to hackers.

The question is no longer if you’re on camera, but rather how many different angles you were caught on while going about your day.

With so much monitoring taking place, and with surveillance systems gaining more online functionality every year, it’s natural that securing these systems would become ... complicated. And that many many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it's possible for anyone with Internet access to watch literally thousands of cameras online using only Google and a kindergartner's understanding of the 'Net. With a little time and patience, almost any given system, from a set of residential cameras to those used by your local police, can be accessed, viewed, and even reset if not properly secured. Of course, if you can do this, it means that anyone can do it.

. . .

Regardless of where a system is installed, if it has any online presence whatsoever, it’s vulnerable. All it takes is time and some skillful Googling to gain access.

Finding IP cameras with Google is surprisingly easy. Though the information the search engine provides on the cameras themselves is typically little more than an IP address and a camera name or model number, Google still provides those who know how to ask with extensive lists of IP cameras and Web-enabled surveillance systems throughout the world.

The secret is in the search itself. Though a standard Google search typically won’t find anything out of the ordinary, pairing advanced search tags ("intitle", "inurl", "intext", and so on) with names of commonly-used cameras or fragments of URLs will provide direct links to watch live video from thousands of IP cameras.

. . .

With Google providing a roadmap to thousands of unsecured cameras, getting started was incredibly easy. Though my experience in the surveillance industry afforded me some familiarity with the search terms and cameras that were online, picking search strings randomly from the list would have been equally effective. The important thing is getting the link, which only takes a five-year-old’s knowledge of the Internet.

. . .

I was also able to find a feed from a set of eight live porn cameras, which of course occurred while my fiancée was sitting next to me on our couch, before I had mentioned I was working on this article. This showed me that accessing unsecured IP cameras was dangerous in ways I hadn’t expected.

Though accessing public cameras can be fun and is essentially harmless, it’s impossible to divorce the voyeuristic aspects of Googling cameras from the innocent ones. Because the majority of the cameras the engine finds are meant for surveillance, most of what’s out there is being used in security applications and is not meant to be seen by others.

. . .

At one point I found a hardware store and watched as two staff members worked behind a counter. After a few moments, one happened to empty a cash register and walk off-camera with the money, which allowed me to deduce a general location of the business’ safe.

. . .

In addition to the retail businesses I accessed, I was also able to find a doctor’s office somewhere in Asia and, perhaps most surprising, a set of three red-light cameras that I pinpointed to an intersection in eastern Texas (not much of a challenge since the cameras gave me the streets’ names). Although I was only watching the video, the fact was that I had accessed a set of public security cameras that were left wide open for anyone to get in. Once a camera has been accessed in this way, someone with the time and inclination could possibly get into the cameras’ admin settings to move it (if it was a PTZ) or even change the triggering settings to prevent it from capturing images when it was supposed to do so.


There's much more at the link. Interesting reading, particularly for anyone who uses Internet-connected security cameras at work or at home. After reading it, you can bet that if I ever use such devices for security purposes, I'm locking them down against unauthorized access!

Peter

2 comments:

Chris said...

Deduce the location to the safe? Heck, where I work, there is a camera pointed at the safe! Oh yeah, there is one on the back door too, watching you put in your pass code.

FrankC said...

There was a scheme here in Rightpondia to allow internet users to watch CCTV feeds. I suppose the idea was to save money and get unpaid citizens to report crime as it happened.
Don't know if it's still running.