The Search Engine For Hacking IP Cameras (Shodan)

By: IPVM Team, Published on Sep 10, 2013

With the US FTC cracking down on an IP camera manufacturer for security / privacy violations, concern over camera vulnerabilities have increased significantly. In this note, we review an online tool that is rapidly gaining in popularity as the search engine to quickly find and compromise online devices like IP cameras. We show you how it is done with a video screencast that demonstrates how lightning fast this engine makes hacking cameras.

Background of Shodan

Shodan is a search engine that allows you to find devices connected to the Internet. This could be IP cameras, routers, and servers, but also more interesting devices like traffic lights, SCADA systems, and medical equipment. 

It was originally created by computer programmer John Matherly to allow companies to find devices connected to the Internet using their software. On its website, Shodan says it now indexes more than 500 million devices monthly. When an exploit is discovered, Shodan is often used to do a quick search of how many vulnerable devices are out there and connected to the Internet. 

Where it Becomes a Problem 

Many of the devices indexed on Shodan do not need credentials to access. For example, control systems for dams or crematoriums or refrigerators or home heating systems. Usually physical controls for these devices are in places where access is limited to authorized users. However, they are also connected to the Internet, for remote monitoring or mobile apps, etc. This leaves them exposed to anyone who comes across them on Shodan. For devices that do use login credentials, it is important to change default password settings.

Matherly says he tries to keep people from using Shodan for bad by requiring users to create a login and limiting the number of search results a person can get without buying a subscription. Matherly hopes people will be reluctant to hack devices if they have to provide financial information. That seems like a small setback from someone with the technical know-how to login and operate the controls to a utilities company. 

'Hacking' a Router in Less Than 60 Seconds

We recorded this example to show you how it works:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Shodan and IP Cameras

Security researchers still have not found a way [link no longer available] to keep connected devices from showing up on Shodan, so the next best step is to make sure those devices are secure. The problem with IP cameras is that many of them, whether for convenience or ignorance, use default passwords. Default credentials are readily available online (e.g., our Default Passwords Directory). For now, the popular and publicized targets for hackers and the curious have been at-home web cameras like TRENDnet and Foscam and not higher end cameras, but higher end cameras are exposed as well. 

Here is an example of some search results from this week showing four Axis cameras currently connected to the Internet and their locations. Three of these cameras were inaccessible. The fourth is still using default login credentials. 

For the camera using defaults, not only can you access a live feed and setup, but you can also operate PTZ controls. 

 

Impact on Surveillance Users and Manufacturers

We know that researchers use Shodan to assess the number of devices vulnerable to an exploit. We also know a lot of users are just curious about what they can find. Unfortunately,there is no way to be sure how many people are using it for more malicious reasons. The easiest way to curb unwanted access would be for surveillance manufacturers to require end users to change default credentials during set up.

2 reports cite this report:

Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the world to access and control devices like IP cameras (using Shodan, turning...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity and the risk of being the next Hikvision, Foscam or Trendnet, show...
Comments (9) : PRO Members only. Login. or Join.

Related Reports on Hacking

Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Locking Down Network Connections Guide on Apr 23, 2019
Accidents and inside attacks are risks when network connections are not locked down. Security and video surveillance systems should be protected...
Silicon Valley Cybersecurity Insurance Startup Coalition Profile on Mar 20, 2019
Many industry people believe cybersecurity insurance is not worth it, as the voting and debate in our Cybersecurity Insurance For Security...
Hikvision Favorability Results 2019 on Mar 18, 2019
Hikvision favorability results declined significantly in IPVM's 2019 study of 200+ integrators. While in 2017 Hikvision's favorability was...
Bosch VDOO 2018 Vulnerability on Dec 20, 2018
Security research firm VDOO has discovered a critical vulnerability in Bosch IP cameras. Inside, we cover the available details of this new...
Genetec UL Cybersecurity Certificate (2900-2-3) Examined on Dec 19, 2018
Proving a company is cybersecure has become a major concern for security companies. But how trustworthy are these certificates? Earlier in 2018, a...
No GDPR Penalties For UK Swann 'Spying Hack' on Nov 20, 2018
The UK’s data protection agency has closed its investigation into Infinova-owned Swann Security UK, the ICO confirmed to IPVM, deciding to take “no...

Most Recent Industry Reports

Camera Focusing Tutorial on Oct 14, 2019
Camera focus is fundamental to quality imaging. Mistakes can significantly reduce details, making cameras less effective. In this guide, we...
"UL Has Blood On Their Hands" Alleges The Interceptor / Keith Jentoft on Oct 14, 2019
"UL has blood on their hands" alleges Keith Jentoft of "The Interceptor Project". We examined The Interceptor in-depth last year, see: The...
Access Control Course Fall 2019 - Save $50 Last Chance on Oct 14, 2019
Register Now - Fall 2019 Access Control Course. Save $50 through October 10th. Thursday, October 17th is the last day to register. IPVM offers...
Axis HD Analog Encoder Tested on Oct 11, 2019
Two years after declaring "Everything is IP", Axis has released their first HD analog encoder, the P7304, with support for AHD, CVI, TVI, and SD...
Dahua Celebrates PRC 70th Wearing Communist Party Hammer and Sickle on Oct 11, 2019
Dahua celebrated the PRC's 70th anniversary with a video of various Dahua employees wearing China Communist Party hammer and sickle pins as shown...
Last Chance - Register Now - October 2019 IP Networking Course on Oct 10, 2019
Last Chance - Register Now - Fall 2019 IP Networking Course. The course starts next week. This is the only networking course designed...
Network Optix NxWitness 4.0 Tested on Oct 10, 2019
Network Optix released Nx Witness 4.0, proclaiming new features like a deep learning analytics metadata SDK, increased H.265 support, and UX...
HID Fingerprint Reader Tested on Oct 09, 2019
HID has released their first access reader to use Lumidigm optical sensors, that touts it 'works with anyone, anytime, anywhere'. We bought and...
Hikvision And Dahua Sanctioned For Human Rights Abuses on Oct 07, 2019
In a groundbreaking move that will have drastic consequences across the video surveillance market, Dahua and Hikvision have been sanctioned by the...