The Search Engine For Hacking IP Cameras (Shodan)

By: IPVM Team, Published on Sep 10, 2013

With the US FTC cracking down on an IP camera manufacturer for security / privacy violations, concern over camera vulnerabilities have increased significantly. In this note, we review an online tool that is rapidly gaining in popularity as the search engine to quickly find and compromise online devices like IP cameras. We show you how it is done with a video screencast that demonstrates how lightning fast this engine makes hacking cameras.

Background of Shodan

Shodan is a search engine that allows you to find devices connected to the Internet. This could be IP cameras, routers, and servers, but also more interesting devices like traffic lights, SCADA systems, and medical equipment. 

It was originally created by computer programmer John Matherly to allow companies to find devices connected to the Internet using their software. On its website, Shodan says it now indexes more than 500 million devices monthly. When an exploit is discovered, Shodan is often used to do a quick search of how many vulnerable devices are out there and connected to the Internet. 

Where it Becomes a Problem 

Many of the devices indexed on Shodan do not need credentials to access. For example, control systems for dams or crematoriums or refrigerators or home heating systems. Usually physical controls for these devices are in places where access is limited to authorized users. However, they are also connected to the Internet, for remote monitoring or mobile apps, etc. This leaves them exposed to anyone who comes across them on Shodan. For devices that do use login credentials, it is important to change default password settings.

Matherly says he tries to keep people from using Shodan for bad by requiring users to create a login and limiting the number of search results a person can get without buying a subscription. Matherly hopes people will be reluctant to hack devices if they have to provide financial information. That seems like a small setback from someone with the technical know-how to login and operate the controls to a utilities company. 

'Hacking' a Router in Less Than 60 Seconds

We recorded this example to show you how it works:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Shodan and IP Cameras

Security researchers still have not found a way [link no longer available] to keep connected devices from showing up on Shodan, so the next best step is to make sure those devices are secure. The problem with IP cameras is that many of them, whether for convenience or ignorance, use default passwords. Default credentials are readily available online (e.g., our Default Passwords Directory). For now, the popular and publicized targets for hackers and the curious have been at-home web cameras like TRENDnet and Foscam and not higher end cameras, but higher end cameras are exposed as well. 

Here is an example of some search results from this week showing four Axis cameras currently connected to the Internet and their locations. Three of these cameras were inaccessible. The fourth is still using default login credentials. 

For the camera using defaults, not only can you access a live feed and setup, but you can also operate PTZ controls. 

 

Impact on Surveillance Users and Manufacturers

We know that researchers use Shodan to assess the number of devices vulnerable to an exploit. We also know a lot of users are just curious about what they can find. Unfortunately,there is no way to be sure how many people are using it for more malicious reasons. The easiest way to curb unwanted access would be for surveillance manufacturers to require end users to change default credentials during set up.

2 reports cite this report:

Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the world to access and control devices like IP cameras (using Shodan, turning...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity and the risk of being the next Hikvision, Foscam or Trendnet, show...
Comments (9) : Members only. Login. or Join.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...

Most Recent Industry Reports

Athena CEO Criticizes 'Deplorable' 'Nitpicking', IPVM Refutes on Mar 27, 2020
Athena Security's CEO Lisa Falzone has strongly objected to IPVM's reporting on Athena, calling it 'deplorable' and repeatedly criticizing IPVM's...
Hikvision Admits Sanctions Harming Its Financial Performance on Mar 27, 2020
While Hikvision initially downplayed being sanctioned for human rights abuses, the company is now admitting a significant impact in a new PRC...
New Axis M30 Cameras Tested on Mar 26, 2020
Axis has released a new generation of, for them, relatively low cost M30 series cameras, claiming to deliver "sharp video quality even in poor...
Coronavirus Shuts Down ADT Door Knockers on Mar 26, 2020
Coronavirus has another victim - this time, alarm giant ADT has stopped all door to door sales. Door knockers are a critical but controversial...
Access Control Course Spring 2020 - Save $50 Last Day on Mar 26, 2020
Register Now - Spring 2020 Access Control Course. Today, March 26th is the last day to save $50. IPVM offers the most comprehensive access...
Convergint Coronavirus Cuts on Mar 25, 2020
One of the world's largest security integrators, Convergint, has made a major move to handle the impact of coronavirus, with cuts across the...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud video. But what does it mean? How does it all work? Inside this...
TVT / InVid Facial Recognition Tested on Mar 25, 2020
Facial recognition is frequently sold for thousands of dollars per channel but some China manufacturers are offering full facial recognition...
IPVM Launches On-Demand Courses on Mar 24, 2020
For nearly a decade, IPVM has been a leader in online live courses. Now, we have added on-demand versions for all courses. The same course...