3,000 Public Surveillance Cameras - 1 Website

Author: Carlton Purvis, Published on Mar 04, 2014

A new website accesses more than 3,000 surveillance cameras over the Internet. The feeds available on the site include, private homes, school classrooms, hotel lobbies and hospitals. We take a look at the site and discuss potential issues.

The Site

The site is called Live Security Cams. On the top right of the screen it displays how many feeds are available to watch.

The domain was registered last year. The site operator recently announced the site on reddit.

* *** ******* ******** **** **** *,*** ************ ******* **** the ********. *** ***** ********* ** *** **** *******, ******* homes, ****** **********, ***** ******* *** *********. ** **** * look ** *** **** *** ******* ********* ******.

The ****

*** **** ** ********** ******** ****. ** *** *** ***** ** *** ****** ** ******** how **** ***** *** ********* ** *****.

*** ****** *** ********** **** ****. *** **** ******** ***************** *** **** ** ******.

[***************]

Feeds *********

** ***** **** ** **** **** ******** *** ******** ******* -- **** **** *** **** ********* ** ********* ** *** feeds. **** **** * ******. ******** *** ****. ********* ** * ******. ***** *** **** ***** **** ****** ********, *********, *******, airports, ******** *** ******* *****.

**** ** *** **** *********** **** *** **** **** *** actively ***** ********** ** *********, ********* * **** ** **** catches ** ********* ***.**** ****** ***** ********** ** ******* ** **** * ******* ******** in *** *** ******* ***:

**** ****** ** *** ** ** ********* ****, ******* ** *** ******* ** ******* ** ***:



Breaking ****

******** ***** **** ****** *****, ******* ** ******** *** ** socially *****, *** ***’* *********** ***** *** ****. *******, *** the ***** ****** *****.*. ********* ** ******'* *******, ****** ***** ******* ********* ****** ** * ******** ********* of *****, *** *** ********** ******* ***********.

Future ***** *** *** *******

*** ****** **** *** ******* *** **** **** ** ***** to *** * ******* ** ****** ** ******** *** **** remove ******* **** ****** *********** ** ***’* ****. *********, *** camera ********* *** ********* ******* **** ******* *** **** ** coming ****, *** ***** ** ** *** ****** **** ******* to ***. **** ***** ********* *** *****, *******, *** **** of ***** *****, **** *** **** *********** ******* ** *********, once *** ******** **** ** *********, ** *******’* ** **** to **** *** *** *** *** **** **.

Privacy *** ****** ********

****** *** *********** ***** ******* ** ***** **** ******* ******* from ******** **, ********** *********** **** **** ***** ********. **’* *** ***** *** *** ***** *** ***** ********, but ** ***** **** *** ******* *** *** ******** ********* over *** ********, *** ** ******* *** ********.

**** ** **** **** ** *********** ****** ******** ******, *** the **** * **** ****** **** ********** ***** “*****” ** by ******* *** *********** *****. *** ***** ****** **** **** they *********** ********* ***** ******* *** *** **.

Comments (22)

Scott Sheldrake

03/04/14 09:21pm

It's amazing how of this stuff is out there. I did a Shodan search for the word "Exacq" and it listed about 30 public IP's - you can use the Exacq Client to log in with the default admin / admin256 creds and have full Admin status with Live Viewing and everything else.

The Black Hat 2013 video you guys posted last week was pretty much the best example of how insecure some of this stuff is though.

Thumbnail zayon 1673

Ari Erenthal

Chesapeake & Midlantic | 03/04/14 10:33pm

The Lorex camera I used as a nannycam forces you to choose a username and password during setup, and won't proceed until you do. Shame on every camera manufacturer that doesn't do the same.

Undisclosed #1

In reply to Ari Erenthal | 03/05/14 01:06pm

Lorex is a consumer brand, especially with a nannycam product. For that market, it's probably good that the manufacturer forces some security protocol onto the user.

For professional brands, forcing you to change/set passwords on first logins would not be the right thing to do, IMO. It should be safe to assume the installer handles that task as part of a professional install.

As an example, the customer might want to set passwords and not give knowledge to the installer, or the installer might be checking some units beforehand (maybe they are installing 20 cameras, 15 they are familiar with and 5 are new models, so they bench test those to get familiar with them). Forcing password changes arbitrarily shouldn't be neccessary when dealing with a "professional". So, I would not blame Exacq or others for now following that process, I would blame the installer OR the customer, that is THEIR job, not the manufacturers.

Thumbnail zayon 1673

Ari Erenthal

Chesapeake & Midlantic | In reply to Undisclosed #1 | 03/05/14 03:09pm

While what you say should be true, the fact that we are commenting on a story about a website that automatically finds open cameras which Carlton was able to get into using the default credentials shows that something is still very wrong. It is the installer's job to change the passwords, just like it's my job to change the oil in my car on a regular basis, but my little Nissan still flashes a light at me when I forget to.

John Honovich

IPVM | In reply to Ari Erenthal | 03/05/14 04:01pm

Recall our poll on the default password directory report. 21% of IPVM readers say they always use default passwords in production.

Thumbnail zayon 1673

Ari Erenthal

Chesapeake & Midlantic | In reply to John Honovich | 03/05/14 04:49pm

Right. Making fun of people who should know better for doing dumb things feels good but doesn't contribute towards solving the problem.

John Honovich

IPVM | In reply to Ari Erenthal | 03/05/14 04:50pm

Who's making fun of anyone?

Undisclosed #1

In reply to Ari Erenthal | 03/05/14 04:50pm

A flashing light is good. The car suddenly going into auto-pilot mode and FORCING you to get an oil change would be bad.

Thumbnail zayon 1673

Ari Erenthal

Chesapeake & Midlantic | In reply to Undisclosed #1 | 03/05/14 04:57pm

I have to unlock my car and disable the alarm before I can open the door and drive away. It's something of an imposition but I put up with it because it helps prevent auto theft.

John Honovich

IPVM | In reply to Ari Erenthal | 03/05/14 05:00pm

You can leave your car unlocked. Locking a car is one's choice. Right? No?

I mean we all don't live in Brooklyn :)

Undisclosed #1

In reply to Ari Erenthal | 03/05/14 05:01pm

Your analogy is breaking down. Your car is more like the consumer Lorex example.

Look at heavy equipment, things used by professionals. Many of these devices have very weak locks and ignition control devices by default. The user/owner of the equipment knows and understands this and implements a more secure system on their own.

I do not believe manufacturers of pro-grade security equipment should at this time implement FORCED password management schemes.

Thumbnail zayon 1673

Ari Erenthal

Chesapeake & Midlantic | In reply to Undisclosed #1 | 03/05/14 05:06pm

Well, I see lots of upside and practically no downside to implementing a forced password scheme, but of course reasonable people can disagree.

In the meantime, we'll just see open camera search engines like this every six months or so.

John Honovich

IPVM | In reply to Ari Erenthal | 03/05/14 05:09pm

Created a poll and new discussion: Should IP Cameras Force Passwords To Be Changed On First Login?

Rukmini Wilson

In reply to Undisclosed #1 | 03/05/14 07:05pm

As an example, the customer might want to set passwords and not give knowledge to the installer, or the installer might be checking some units beforehand (maybe they are installing 20 cameras, 15 they are familiar with and 5 are new models, so they bench test those to get familiar with them).

Undisclosed A, how does forcing the choice (not the change) of the admin password on first boot make it harder for the customer to set the passwords? The installer could just set the password to the name of his customer (not recommended of course but 1000x better than the global default) and tell the customer.

Ditto on internal testing, set the password to some global default fo your company. Sure its not the most secure way but if even this were implemented we Carlton's article would be '30 Public...' instead of 3000.

Finally, your opinion of what 'shouldn't be necessary when dealing with a "professional"' indicates you may feel slighted by the arguably ever-eroding stature of the security professional. Yes/No?

Undisclosed #1

In reply to Rukmini Wilson | 03/05/14 07:21pm

I have no opinion on the erosion of the stature of any position, it's not something that deeply affects me one way or the other.

In regards to first-init password management, my concern is with devices that force you to supply unique credentials before you can effectively use them. There are many cases (IMHO) where you might be bringing a device online, but not at the point where you want to go making ANY changes to the default config.

My opinion is that manufacturers should concentrate on building reliable devices with the neccessary set of features and configuration options for their target market, but should leave the customization or personalization of those features and options to the customer's ultimate decision. Especially in the case of security devices, where the customer is presumably purchasing the device FOR enhanced security, its not the manufacturers duty to inflict their opinions on the installation of the product. How far should we take this argument? Should they also enforce strong passwords? Should they enforce regular password changes?

In my experience, this can backfire on the pro side vs. the consumer side. When a consumer installs a camera, they are probably very likely to use a semi-strong password that is unique to them. It might be the name of their dog or child, or a word+number combo they use elsewhere, or something else that is at least mildly unique. Most corporations on the other hand when forced to choose corporate default passwords use fairly weak and guessable passwords, and use them across multiple things. In this case, if you're forcing a tech to change the password, the chance is very high (IMO) that their choice becomes something like Password or Passw0rd, they are going to be inclined to make it a very simple and memorable string because there is a good chance multiple techs are going to be involved with the system, and they'd generally all want to agree on an easy to remember string.

Also, there is much less reason to worry about unique password security during the install/setup of the system. It's when it is turned over to the customer that it makes the most sense to lock things down, but this forced password change at init causes you to make the password decision at the wrong time.

Rukmini Wilson

In reply to Undisclosed #1 | 03/05/14 09:44pm

Most corporations on the other hand when forced to choose corporate default passwords use fairly weak and guessable passwords, and use them across multiple things.

This is true, but why argue such a point when even weak passwords, i.e. 'cam2' or 'tommy' are least a magnitude harder than the public defaults, which when port scanning for devices, are the ones always tried and if unsucessful they usually move to the next port.

One can only assume that you would actually prefer that 'pro' devices ship with empty credentials, i.e. blank id, blank password. If not, why not? Your techs wouldn't have to remember the 10 or so pairs of creds.

Maybe next time a mfr. starts prompting to set a password on init, just have everyone set it to the old mfr default password anyway. What do you care if other installers might change it to something more secure?

Could the issue be that having to set the root password on every camera requires one to go to the web page of each camera one by one? Instead of just auto-discovery by the VMS? That's a reason that I could understand...

Scott Sheldrake

03/05/14 08:44pm

Leaving password as default isn't that critical if they aren't exposed to the public internet. But anyone who has the knowledge / takes the time to open ports on a firewall should also be competent enough to change the default password.

It would be an interesting business to start a "mini-pen-test" aimed at security systems. IE - you pay XXX $$ to a pen-tester and supply them your public IP and let them go to town. IPVM, do you know if something like this exists?

Carlton Purvis

In reply to Scott Sheldrake | 03/05/14 08:55pm

Scott that does exist. There are a number of cybersecurity companies who do this (Google: white hat security companies), but there are probably even more independent hackers who would do this for you for a fraction of the cost -- you would just have to hope they didn't leave anything behind after the test.

Rukmini Wilson

In reply to Scott Sheldrake | 03/05/14 10:12pm

should also be competent enough to change the default password...

Of course they should, but with millions(?) of ip cameras out there, there are bound to be honest mistakes, new employees, non-arecont owners resetting cameras etc. that slip thru the cracks...

And no doubt they 'deserve it' but don't you think its still better for everyone concerned than to allow this flourishing community of vouyers to expand unchecked?

Undisclosed Integrator #2

In reply to Scott Sheldrake | 03/17/14 02:25pm

I think their is another answer here. It Is critical because not all poor behavior comes from the internet. There are plenty of large corporate, city, county and state workers on networks who are not and better behaved than the "internet" people. Internal thefts and workplace violence can easily be hidden if these network users can get on to the camera and kill feeds or change presets. No internet required.

Scott Sheldrake

03/05/14 09:01pm

Have you come across one that has a website and actually does this specifically targetting IP camera systems?

Carlton Purvis

In reply to Scott Sheldrake | 03/05/14 09:15pm

Solely cameras? But usually cameras are on a long list of devices that when connected to the Internet can target. At Black Hat, Def Con and Shmoocon and a lot of these guys presenting have their own companies, but also work pen-testing for major companies too. Here is a presentation from last month that is worth watching.

Login to read this IPVM report.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

Related Reports on Privacy

UK: Private Video Surveillance Complaints Down Since GDPR on Jan 09, 2019
The arrival of the GDPR on May 25, 2018, brought fears the law would spark a massive increase in privacy complaints about security camera use....
IPVM Best New Products 2019 Opened - 70+ Entrants on Jan 07, 2019
The inaugural IPVM Best New Product Awards has been opened - the industry's first and only program where the awards are not pay-to-play and the...
Startup Sunflower Labs' Autonomous Drone Security System on Dec 11, 2018
Startup Sunflower Labs is claiming a unique design on a home security system, combining autonomous drones and 'Sunflower' sensors. Imagine an...
Cybersecurity Insurance For Security Integrators on Nov 29, 2018
Most security industry professionals carry insurance to cover themselves in the event of a general loss. However, most are not carrying cyber...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...
French Government Threatens School with $1.7M Fine For “Excessive Video Surveillance” on Nov 14, 2018
The French government has notified a high-profile Paris coding academy that it risks a fine of up to 1.5 million euros (about $1.7m) if it...
Genetec Privacy Protector Tested on Nov 12, 2018
Genetec has built Kiwi Security's Privacy Protector into Security Center, an analytic which anonymizes individuals in cameras' fields of view...
Belgium Bans Private Facial Surveillance on Jul 06, 2018
Belgium has effectively banned the use of facial recognition and other biometrics-based video analytics in surveillance cameras for private,...
GDPR For Access Control Guide on Jul 03, 2018
Electronic access control is common in businesses plus organizations are increasingly considering biometrics for access control. With GDPR coming...
GDPR / ICO Complaint Filed Against IFSEC Show Facial Recognition on Jun 20, 2018
IPVM has filed a complaint against IFSEC’s parent company UBM based on our concern that the conference violates core GDPR principles on...

Most Recent Industry Reports

Cable Trenching for Surveillance on Jan 21, 2019
Trenching cable for surveillance is surprisingly complex. While using shovels, picks, and hoes is not advanced technology, the proper planning,...
Milestone Favorability Results 2019 on Jan 21, 2019
Milestone's favorability moderately strengthed, in new IPVM integrator statistics over their results from 2016. While the industry has been...
Intersec 2019 Live Day 1 - Massive China Presence on Jan 21, 2019
There’s a massive presence from Chinese or China-focused video surveillance firms, chiefly Hikvision, Dahua, Huawei, and Infinova, at...
The IP Camera Lock-In Trend: Meraki and Verkada on Jan 18, 2019
Open systems and interoperability have not only been big buzzwords over the past decade, but they have also become core features of video...
NYPD Refutes False SCMP Hikvision Story on Jan 18, 2019
The NYPD has refuted the SCMP Hikvision story, the Voice of America has reported. On January 11, 2018, the SCMP alleged that the NYPD was using...
Mobile Surveillance Trailers Guide on Jan 17, 2019
Putting cameras in a place for temporary surveillance where power and communications are not readily available can be complicated and expensive....
Exacq Favorability Results 2019 on Jan 17, 2019
Exacq favorability amongst integrators has declined sharply, in new IPVM statistics, compared to 2017 IPVM statistics for Exacq. Now, over 5 since...
Testing Bandwidth Vs. Low Light on Jan 16, 2019
Nighttime bandwidth spikes are a major concern in video surveillance. Many calculate bandwidth as a single 24/7 number, but bit rates vary...
Access Control Records Maintenance Guide on Jan 16, 2019
Weeding out old entries, turning off unused credentials, and updating who carries which credentials is as important as to maintaining security as...
UK Fines Security Firms For Illegal Direct Marketing on Jan 16, 2019
Two UK security firms have paid over $200,000 in fines for illegally making hundreds of thousands of calls to people registered on a government...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact