The Search Engine For Hacking IP Cameras (Shodan)

By: IPVM Team, Published on Sep 10, 2013

With the US FTC cracking down on an IP camera manufacturer for security / privacy violations, concern over camera vulnerabilities have increased significantly. In this note, we review an online tool that is rapidly gaining in popularity as the search engine to quickly find and compromise online devices like IP cameras. We show you how it is done with a video screencast that demonstrates how lightning fast this engine makes hacking cameras.

Background of Shodan

Shodan is a search engine that allows you to find devices connected to the Internet. This could be IP cameras, routers, and servers, but also more interesting devices like traffic lights, SCADA systems, and medical equipment. 

It was originally created by computer programmer John Matherly to allow companies to find devices connected to the Internet using their software. On its website, Shodan says it now indexes more than 500 million devices monthly. When an exploit is discovered, Shodan is often used to do a quick search of how many vulnerable devices are out there and connected to the Internet. 

Where it Becomes a Problem 

Many of the devices indexed on Shodan do not need credentials to access. For example, control systems for dams or crematoriums or refrigerators or home heating systems. Usually physical controls for these devices are in places where access is limited to authorized users. However, they are also connected to the Internet, for remote monitoring or mobile apps, etc. This leaves them exposed to anyone who comes across them on Shodan. For devices that do use login credentials, it is important to change default password settings.

Matherly says he tries to keep people from using Shodan for bad by requiring users to create a login and limiting the number of search results a person can get without buying a subscription. Matherly hopes people will be reluctant to hack devices if they have to provide financial information. That seems like a small setback from someone with the technical know-how to login and operate the controls to a utilities company. 

'Hacking' a Router in Less Than 60 Seconds

We recorded this example to show you how it works:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Shodan and IP Cameras

Security researchers still have not found a way [link no longer available] to keep connected devices from showing up on Shodan, so the next best step is to make sure those devices are secure. The problem with IP cameras is that many of them, whether for convenience or ignorance, use default passwords. Default credentials are readily available online (e.g., our Default Passwords Directory). For now, the popular and publicized targets for hackers and the curious have been at-home web cameras like TRENDnet and Foscam and not higher end cameras, but higher end cameras are exposed as well. 

Here is an example of some search results from this week showing four Axis cameras currently connected to the Internet and their locations. Three of these cameras were inaccessible. The fourth is still using default login credentials. 

For the camera using defaults, not only can you access a live feed and setup, but you can also operate PTZ controls. 

 

Impact on Surveillance Users and Manufacturers

We know that researchers use Shodan to assess the number of devices vulnerable to an exploit. We also know a lot of users are just curious about what they can find. Unfortunately,there is no way to be sure how many people are using it for more malicious reasons. The easiest way to curb unwanted access would be for surveillance manufacturers to require end users to change default credentials during set up.

2 reports cite this report:

Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the world to access and control devices like IP cameras (using Shodan, turning...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity and the risk of being the next Hikvision, Foscam or Trendnet, show...
Comments (9) : Members only. Login. or Join.

Related Reports

China DVR/NVR Backdoor Discovered, Huawei Refutes on Feb 07, 2020
A backdoor was found in Chinese-produced DVRs and NVRs that secretly allowed access to the recorders. While it was first attributed to Huawei...
Dahua New Critical Vulnerability 2019 on Sep 23, 2019
Dahua has quietly admitted 5 new vulnerabilities including 1 critical vulnerability with a 9.8 / 10.0 CVSS score and 2 high vulnerabilities (scored...
Uniview OEM Directory on Sep 11, 2019
This directory lists 20+ companies that OEM products from Uniview, with a graphic and links to company websites below. It does not cover all...
ONVIF Exposure To "Devastating DDoS Attacks" Examined on Sep 06, 2019
ZDnet reported "Protocol used by 630,000 devices can be abused for devastating DDoS attacks", citing exposure of ONVIF devices. And after an...
Critical Vulnerability Across 18+ Network Switch Vendors: Cisco, Netgear, More on Aug 26, 2019
Cisco, Netgear and more than a dozen other brands, including small Asian ones, have been found to share the same critical vulnerability, discovered...
Dahua Wiretapping Vulnerability on Aug 02, 2019
IPVM has validated, with testing, and from Dahua, that many Dahua cameras have a wiretapping vulnerability. Even if the camera's audio has been...
Vivotek Trend Micro Cyber Security Camera App Tested on Jul 22, 2019
Vivotek and Trend Micro are claiming five million blocked attacks on IP cameras, with their jointly developed app for Vivotek cameras. This new...
LifeSafety Power NetLink Vulnerabilities And Problematic Response on May 20, 2019
'Power supplies' are not devices that many think about when considering vulnerabilities but as more and more devices go 'online', the risks for...
Security Fail: ASISNYC Auto Emails Passwords In Plain Text on May 14, 2019
ASIS NYC automatically emails a user with the password the user just entered, in plain text, when one registers for the site / event, as the...
Verint Victimized By Ransomware on Apr 18, 2019
Verint, which is best known in the physical security industry for video surveillance but has built a sizeable cybersecurity business as well, was...

Most Recent Industry Reports

FLIR New Coronavirus Prioritized Temperature Screening Camera Examined on Apr 03, 2020
FLIR has announced a new series of thermal cameras "prioritized for entities working to mitigate the spread of COVID-19 virus", the A400/A700...
ADI Branch Burglary on Apr 03, 2020
A security systems distributor branch is an odd target for burglary but that happened this week at ADI's Memphis location. Vehicle Smash &...
YCombinator AI Startup Visual One Tested on Apr 02, 2020
Startup Visual One, backed by Silicon Valley's powerful Y Combinator, aims to be "Your 24/7 Watchman" with advanced analytics and object...
Free IPVM Memberships For The Unemployed on Apr 02, 2020
IPVM is giving 3-month free memberships (regular price $99) for the unemployed, no questions asked. To get it, just contact us, your request...
Dahua Faked Coronavirus Camera Marketing on Apr 01, 2020
Dahua has conducted a coronavirus camera global marketing campaign centered around a faked detection. Now, Dahua has expanded this to the USA,...
Video Surveillance Trends 101 on Apr 01, 2020
This report examines major industry factors and how they could impact video surveillance in the next 5 - 10 years. This is part of our Video...
USA's Seek Scan Thermal Temperature System Examined on Apr 01, 2020
This US company, Seek, located down the road from FLIR and founded by former FLIR employees is offering a thermal temperature system for the...
Terrible Convergint Coronavirus Thermal Camera Recommendation on Apr 01, 2020
A week after Convergint disclosed falling revenue, pay and job cuts, Convergint is touting 'extensive research' that is either grossly incompetent...
The IPVM New Products Online Show April 2020 Opens With 40+ Manufacturers on Mar 31, 2020
IPVM is excited to announce the first New Products Online show, with 40+ manufacturers, to be held April 14 to the 16th, free to IPVM members,...