The Search Engine For Hacking IP Cameras (Shodan)

By IPVM Team, Published on Sep 10, 2013

With the US FTC cracking down on an IP camera manufacturer for security / privacy violations, concern over camera vulnerabilities have increased significantly. In this note, we review an online tool that is rapidly gaining in popularity as the search engine to quickly find and compromise online devices like IP cameras. We show you how it is done with a video screencast that demonstrates how lightning fast this engine makes hacking cameras.

Background of Shodan

Shodan is a search engine that allows you to find devices connected to the Internet. This could be IP cameras, routers, and servers, but also more interesting devices like traffic lights, SCADA systems, and medical equipment. 

It was originally created by computer programmer John Matherly to allow companies to find devices connected to the Internet using their software. On its website, Shodan says it now indexes more than 500 million devices monthly. When an exploit is discovered, Shodan is often used to do a quick search of how many vulnerable devices are out there and connected to the Internet. 

Where it Becomes a Problem 

Many of the devices indexed on Shodan do not need credentials to access. For example, control systems for dams or crematoriums or refrigerators or home heating systems. Usually physical controls for these devices are in places where access is limited to authorized users. However, they are also connected to the Internet, for remote monitoring or mobile apps, etc. This leaves them exposed to anyone who comes across them on Shodan. For devices that do use login credentials, it is important to change default password settings.

Matherly says he tries to keep people from using Shodan for bad by requiring users to create a login and limiting the number of search results a person can get without buying a subscription. Matherly hopes people will be reluctant to hack devices if they have to provide financial information. That seems like a small setback from someone with the technical know-how to login and operate the controls to a utilities company. 

'Hacking' a Router in Less Than 60 Seconds

We recorded this example to show you how it works:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Shodan and IP Cameras

Security researchers still have not found a way [link no longer available] to keep connected devices from showing up on Shodan, so the next best step is to make sure those devices are secure. The problem with IP cameras is that many of them, whether for convenience or ignorance, use default passwords. Default credentials are readily available online (e.g., our Default Passwords Directory). For now, the popular and publicized targets for hackers and the curious have been at-home web cameras like TRENDnet and Foscam and not higher end cameras, but higher end cameras are exposed as well. 

Here is an example of some search results from this week showing four Axis cameras currently connected to the Internet and their locations. Three of these cameras were inaccessible. The fourth is still using default login credentials. 

For the camera using defaults, not only can you access a live feed and setup, but you can also operate PTZ controls. 

 

Impact on Surveillance Users and Manufacturers

We know that researchers use Shodan to assess the number of devices vulnerable to an exploit. We also know a lot of users are just curious about what they can find. Unfortunately,there is no way to be sure how many people are using it for more malicious reasons. The easiest way to curb unwanted access would be for surveillance manufacturers to require end users to change default credentials during set up.

2 reports cite this report:

Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity...
Comments (9) : Members only. Login. or Join.

Related Reports

Video Surveillance History on May 06, 2020
The video surveillance market has changed significantly since 2000, going...
PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020
Hackers are targeting China video surveillance manufacturers and systems,...
Verkada Disruptive Embedded Live Help on Sep 24, 2020
Call up your integrator? Have someone come by the next day? Verkada is...
Verkada Access Control Tested on Sep 09, 2020
Verkada raised $80 million earlier in 2020, expanding from video into access...
YOLOv5 Released Amidst Controversy on Jul 27, 2020
YOLO has gained significant attention within video surveillance for its...
OnTech Smart Services Partners With Google and Amazon To Compete With Integrators on Sep 25, 2020
A pain point for many homeowners to use consumer security and surveillance is...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
NetApp Video Surveillance Profile on Mar 09, 2020
NetApp is increasing its efforts in video surveillance and told IPVM...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...
Cisco Video Surveillance Is Dead, Long Live Cisco Meraki Video Surveillance on Feb 11, 2020
A dozen years ago much of the industry thought that Cisco was destined to...
Ubiquiti Access Control Tested on Oct 21, 2020
Ubiquiti has become one of the most widely used wireless and switch providers...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
Startup Solink $17 Million USD Fund Raise Expands To Mass Market on Jun 24, 2020
Solink has raised ~$17 million USD, a sizeable round for the company that...

Recent Reports

Motorola Solutions Total Revenue Down, Video Revenue Up on Oct 30, 2020
Motorola Solutions' total revenue is down, but video (both fixed and...
Recruiters Show 2020 On-Demand Recordings on Oct 30, 2020
Recordings from the 12 recruiter presentations are now available...
Consultants Show 2020 On-Demand Recording on Oct 29, 2020
Recordings from the consultant show are available on-demand at the end of...
Hikvision AcuSense G2 Camera Test on Oct 29, 2020
Hikvision has released their next generation of AcuSense analytic cameras...
Biggest Problems Selling Access Control 2020 on Oct 29, 2020
Access control can cause integrators big headaches. What practical issues do...
Taiwan Geovision AI Analytics and NDAA Examined on Oct 29, 2020
Taiwan manufacturer Geovision's revenue has been falling for years. However,...
Bedside Cough and Sneeze Detector (Sound Intelligence and CLB) on Oct 28, 2020
Coronavirus has increased interest in detecting symptoms such as fever and...
Fever Tablet Thermal Sensors Examined (Melexis) on Oct 28, 2020
Fever tablet suppliers heavily rely on the accuracy and specs of...
Verkada Fires 3 on Oct 28, 2020
Verkada has fired three employees over an incident where female colleagues...
Eagle Eye Networks Raises $40 Million on Oct 27, 2020
Eagle Eye has raised $40 million aiming to "reinvent video...
Hikvision Q3 2020 Global Revenue Rises, US Revenue Falls on Oct 27, 2020
While Hikvision's global revenue rises driven by domestic recovery, its US...
VICE Investigates Verkada's Harassing "RawVerkadawgz" on Oct 26, 2020
This month, IPVM investigated Verkada's sexism, discrimination, and cultural...
Six Flags' FDA Violating Outdoor Dahua Fever Cameras on Oct 26, 2020
As Six Flags scrambled to reopen parks amid plummeting revenues caused by the...
ISC Brasil Digital Experience 2020 Report on Oct 23, 2020
ISC Brasil 2020 rebranded itself to ISC Digital Experience and, like its...
Top Video Surveillance Service Call Problems 2020 on Oct 23, 2020
3 primary and 4 secondary issues stood out as causing the most problems when...