Stop. Leaving. Cameras. Unsecured. Hacked Surveillance Camera Becomes Art Project

And every manufacturer who says "well, it isn't our job to force password change on first logon, all the real integrators already do this anyway and there's no reason we have to protect the stupid from themselves" is just as culpable.

Man Googles his way into completely unsecured municipal surveillance system, turns resulting snapshots into art project.


Agreed.

However, and in addition, whoever let this camera on a public IP address without any firewall or barrier is an idiot.

Btw, is this really what passes for art in 2015?

Art is anything you can convince someone is art.

John, have you published a guide on how to use firewalls to secure cameras on a public IP? A "friend of mine" may or may not be such an idiot as this. I would like to give this "friend of mine" some pointers on securing the cameras he installed in a municipal park.

I think in general it is more difficult to leave things unsecured, than at least provisionally secure using today's equipment.

For example, if a router is being used at the top of the municipal park network you describe, then it presumably is closed off from some random person surfing in off the internet like the 'artist' in the OP above.

So here's a general 'to-do' list for the situation you describe. Good news: it isn't difficult, exotic, nor expensive:

  1. Change default passwords and usernames on all network attached equipment. I bet you'd foil the majority of intrusion attempts by doing so.
  2. Use routers/firewalls between any network you wish to remain private vs. the public internet. If you want and need cross-access, then that is fine, but be explicit when permitting ports to be opened and/or forwarded.
  3. If available on your device, review the logs the firewall/ router keeps of which IP addresses attempted to gain/did gain access to your network. If you don't recognize it, then block it. Seriously. IPs from your home town/region may be okay, but an IP from a country a continent away is probably up to no good.

"review the logs the firewall/ router keeps of which IP addresses attempted to gain/did gain access to your network. If you don't recognize it, then block it."

Or if you are limiting access to a certain group / organization, put a white list just for their IP address range and block everything else out.

One important point to prevent hacking, is to make sure to use a router. Many people put an IP camera at a remote location directly on the modem. If the camera has other services/ports exposed, they are now accesible. Using a router, and ONLY forwarding the necessary ports now provides another level of security (assuming the router isn't vulnerable and has passwords changed).

Many people put an IP camera at a remote location directly on the modem.

By setting the camera's IP to a real public IP address?

My God, I hope no one is doing that!

"My God, I hope no one is doing that!"

That seems to be the most likely explanation for this incident. How else did the 'artist' stumble upon the camera?

In fact, I stumbled across a number of IQ cameras this way a few years ago. I was looking up some firmware or documentation or something, and googled a long string that was normally the camera's full model number (I think), and the majority of the results were the strings being returned by openly accessible cameras around the world....

Can't remember for the life of me now what the exact string was... I have so few IQs still deployed and most of them, the name was changed to match the site. Oh well, if I find it, I'll update this.

Why do you think that these cameras were set up 'directly on the cable modem'?

Keep in mind this was several years ago, when broadband routers were a relatively new thing, and most people with home cable or DSL broadband were also blithely plugging their desktop computers directly into their modems as well... so plugging a camera straight into the modem would probably not seem an out-of-the-ordinary way to do it.

That seems to be the most likely explanation for this incident.

I would disagree.

I can't find any more information about this particular incident, but I have no reason to think that this is one is any different than the usual:

Router/firewall with unsecured ports, being forwarding to a nvr/dvr/IP camera with default user/password.

Which, IMHO, is slightly more defensible than having an IP camera 'directly on the modem', as Aaron said (implying without any router/firewall).

Because, when typing in a real public IP, provided by an ISP, in the camera network settings, you can have no illusions about what you are doing, you are putting the camera on the Internet directly. Where people punch holes all the time in firewalls thinking they are protected so...

Moreover how exactly do you connect a DVR/NVR to such a camera? You can't, except thru the Internet.

To Aarons point, I'm sure it happens, especially when there is just one camera and a cable modem and you are trying to save space or dough, or doing it intentionally.

Often cameras used as a "webcam" isn't being recorded, just for monitoring. I have logged in to too many cameras (by searching or for work purposes) and see a global static IP address entered in to the camera.

I have also seen it where a cable model > camera setup where the cameras have unique global IP addresses off of one modem. The NVR can then have another IP and record the cameras via the global IP address, but off of the model/switch.

This is usually the case when the person involved doesn't understand IP addressing and that you usually don't need static IP addresses, so they buy a bunch of static IPs instead of 1. I find that this usually complicates things, as you need special modems to handle this, and you then can't use private IP addresses for devices.

I have also seen it where a cable model > camera setup where the cameras have unique global IP addresses off of one modem.

Wow, multiple cameras all with their own static public IP address?

Costly AND stupid.

And definitely even more reckless, since as you allude, you also need have the skills to setup a SOHO router for multiple outbound public ip's, so ignorance is no defense.

Because, when typing in a real public IP, provided by an ISP, in the camera network settings, you can have no illusions about what you are doing, you are putting the camera on the Internet directly.

I have never, EVER, when setting up broadband internet for someone, had to manually enter an ISP-provided IP. The most complicated it's ever been was having to set up a username and password for PPPoE, but even then, everything else was provided by the ISP's DHCP server.

Given the majority of cameras come configured for DHCP, it's not difficult for a non-network-savvy person to simply plug one into a cable or DSL modem, and have it available online without having to really think about the consequences.

The problem is when a non-techincal installer or end user talks to the ISP and says "I am hooking up 5 cameras to the internet", the ISP replies "you need static IP addresses". We will invoice you for them and send you a business class router. The tech/end user just says OK. Some routers will give the static global IP addresses via DHCP, but even so, it is a PITA to access it, etc. on a local network. I usually tell them to return the router and IP addresses, get a basic model and router (2 seperate devices) and set up port forwarding and DDNS.

The ISP rep doesn't understand how you can have 5 cameras on a local network. A knowledgeable camera guy doesn't understand how to have 5 public IP addresses on a local network. It ends up wasting hours of time, instead of doing what is SOP.

I always tell people to leave the ISP out of it, unless you are asking for 1 static IP (not usually needed), more speed, or a basic model. Any other time, they make a mess of it... and, I hate their modem/router combos. I have seen too many where the forwarding is way to complex, and doesn't even work when configured...

Given the majority of cameras come configured for DHCP, it's not difficult for a non-network-savvy person to simply plug one into a cable or DSL modem, and have it available online without having to really think about the consequences.

How would you even know the IP to view the Camera? That should be a tip-off right there, even for the most unsavvy, no?

Sometimes I marvel at how other guys got things to work, with the bizarre ways they're set up... maybe the guy with five cameras open to the world called the ISP and they managed to look them up in their own DHCP tables. Who knows?

All I'm saying is, it CAN happen, and it DOES happen, and I know this because I've SEEN the results. How these setups got from A to B may always be a mystery.

Lol. I'm sure you seen things no man should ever see. :)

I don't doubt it could happen, I'm just saying installing cameras, DHCP, directly into a cable modem is not an easy mistake to make, assuming you want to see the video.

The thought that there might be a better way should occur to you while on tech-support hold waiting for the rep to lookup your DHCP address du jour.

Though assuming the default passwords have been changed, it's relatively secure compared to the ones behind firewalls but with admin/admin unchanged.

VERY good discussion to say the least. I was under the impression that ONVIF was in the process of releasing a Profile that would make changing default passwords mandatory. If so, this incident highlights the expediency of such a profile.

Harun, yes, ONVIF Profile Q. It's not official yet but hopefully in the next few years it will have an impact.

See: New ONVIF Profile Q Aims To Change Discovery and Default Passwords

If IP cameras are running Linux maybe they can run a firewall.

http://www.tecmint.com/open-source-security-firewalls-for-linux-systems/

If you want to see some more, have a look at www.shodan.io ans you'll find lots of camera's with default user credentials.

By the way, don't forget to secure your WiFi to. Routers and firewalls are all nice but if you put up an unsecured/badly secured WiFi network behind them, the door is still open (allthough you need to be in the range of this WiFi network to get in off course)