The Search Engine For Hacking IP Cameras (Shodan)

By: IPVM Team, Published on Sep 10, 2013

With the US FTC cracking down on an IP camera manufacturer for security / privacy violations, concern over camera vulnerabilities have increased significantly. In this note, we review an online tool that is rapidly gaining in popularity as the search engine to quickly find and compromise online devices like IP cameras. We show you how it is done with a video screencast that demonstrates how lightning fast this engine makes hacking cameras.

Background of Shodan

Shodan is a search engine that allows you to find devices connected to the Internet. This could be IP cameras, routers, and servers, but also more interesting devices like traffic lights, SCADA systems, and medical equipment. 

It was originally created by computer programmer John Matherly to allow companies to find devices connected to the Internet using their software. On its website, Shodan says it now indexes more than 500 million devices monthly. When an exploit is discovered, Shodan is often used to do a quick search of how many vulnerable devices are out there and connected to the Internet. 

Where it Becomes a Problem 

Many of the devices indexed on Shodan do not need credentials to access. For example, control systems for dams or crematoriums or refrigerators or home heating systems. Usually physical controls for these devices are in places where access is limited to authorized users. However, they are also connected to the Internet, for remote monitoring or mobile apps, etc. This leaves them exposed to anyone who comes across them on Shodan. For devices that do use login credentials, it is important to change default password settings.

Matherly says he tries to keep people from using Shodan for bad by requiring users to create a login and limiting the number of search results a person can get without buying a subscription. Matherly hopes people will be reluctant to hack devices if they have to provide financial information. That seems like a small setback from someone with the technical know-how to login and operate the controls to a utilities company. 

'Hacking' a Router in Less Than 60 Seconds

We recorded this example to show you how it works:

Get Notified of Video Surveillance Breaking News
Get Notified of Video Surveillance Breaking News

Shodan and IP Cameras

Security researchers still have not found a way [link no longer available] to keep connected devices from showing up on Shodan, so the next best step is to make sure those devices are secure. The problem with IP cameras is that many of them, whether for convenience or ignorance, use default passwords. Default credentials are readily available online (e.g., our Default Passwords Directory). For now, the popular and publicized targets for hackers and the curious have been at-home web cameras like TRENDnet and Foscam and not higher end cameras, but higher end cameras are exposed as well. 

Here is an example of some search results from this week showing four Axis cameras currently connected to the Internet and their locations. Three of these cameras were inaccessible. The fourth is still using default login credentials. 

For the camera using defaults, not only can you access a live feed and setup, but you can also operate PTZ controls. 

 

Impact on Surveillance Users and Manufacturers

We know that researchers use Shodan to assess the number of devices vulnerable to an exploit. We also know a lot of users are just curious about what they can find. Unfortunately,there is no way to be sure how many people are using it for more malicious reasons. The easiest way to curb unwanted access would be for surveillance manufacturers to require end users to change default credentials during set up.

2 reports cite this report:

Arecont and Bosch - Default Security Risk on Dec 14, 2015
Default passwords are a major security risk, enabling hackers around the...
IP Camera Trolling - Cybersecurity Showcase on Nov 09, 2015
If you want to convince your customers about the importance of cybersecurity...
Comments (9) : Members only. Login. or Join.

Related Reports

Video Surveillance History on May 06, 2020
The video surveillance market has changed significantly since 2000, going...
NetApp Video Surveillance Profile on Mar 09, 2020
NetApp is increasing its efforts in video surveillance and told IPVM...
Video Analytics 101 on Mar 16, 2020
This guide teaches the fundamentals of video surveillance...
Vulnerability Directory For Access Credentials on Feb 20, 2020
Knowing which access credentials are insecure can be difficult to see,...
Uniview Deep Learning Camera Tested on Jul 14, 2020
Uniview's intrusion analytics have performed poorly in our shootouts. Now,...
Surveillance Storage 101 on Mar 23, 2020
This guide teaches the fundamentals of video surveillance...
VSaaS 101 on Mar 25, 2020
Video Surveillance as a Service (VSaaS) is the common industry term for cloud...
PRC Warns Against China Video Surveillance Hacks, Hikvision Targeted on Feb 14, 2020
Hackers are targeting China video surveillance manufacturers and systems,...
Last Chance - Spring 2020 IP Networking Course - Register Now on May 06, 2020
This is the last chance to register for the only networking course designed...
Use Access Control Logs To Constrain Coronavirus on Apr 09, 2020
Access control users have included capabilities that are not commonly used...
Video Surveillance Trends 101 on Apr 01, 2020
This report examines major industry factors and how they could impact video...
YOLOv5 Released Amidst Controversy on Jul 27, 2020
YOLO has gained significant attention within video surveillance for its...
Remote Network Access for Video Surveillance Guide on Jul 27, 2020
Remotely accessing surveillance systems is key in 2020, with more and more...
Vehicle Gate Access Control Guide on Mar 19, 2020
Vehicle gate access control demands integrating various systems to keep...
China Surveillance Vulnerabilities Being Used To Attack China, Says China on Apr 07, 2020
While China video surveillance vulnerabilities have been much debated in the...

Recent Reports

Dahua Taunts Australian Government, Continues To Sell Illegal Fever Cameras on Aug 10, 2020
Dahua is effectively taunting the Australian government by continuing to sell...
HID Releases VertX Replacement Aero on Aug 10, 2020
HID is replacing two established and broadly supported types of access...
NDAA Compliant Video Surveillance Whitelist on Aug 10, 2020
This report aggregates video surveillance products that manufacturers have...
Telpo China Temperature Tablets Tested on Aug 10, 2020
The provider for overseas companies ranging from Canon Singapore to US'...
Dangerous Hikvision Fever Camera Showcased by Chilean City on Aug 07, 2020
Deploying a fever camera outdoors, in the rain, with no black body, is...
"Grand Slam" For Pelco's PE Firm, A Risk For Motorola on Aug 07, 2020
The word "Pelco" and "grand slam" have not been said together for many years....
FLIR Stock Falls, Admits 'Decelerating' Demand For Temperature Screening on Aug 07, 2020
Is the boom going to bust for temperature screening? FLIR disappointed...
VSaaS Will Hurt Integrators on Aug 06, 2020
VSaaS will hurt integrators, there is no question about that. How much...
Dogs For Coronavirus Screening Examined on Aug 06, 2020
While thermal temperature screening is the surveillance industry's most...
ADT Slides Back, Disappointing Results, Poor Commercial Performance on Aug 06, 2020
While ADT had an incredible start to the week, driven by the Google...
AHJ / Authority Having Jurisdiction Tutorial on Aug 06, 2020
One of the most powerful yet often underappreciated characters in all...
SIA Coaches Sellers on NDAA 889B Blacklist Workarounds on Aug 05, 2020
Last month SIA demanded that NDAA 899B "must be delayed". Now that they have...
ADI Returns To Growth, Back To 'Pre-COVID Levels' on Aug 05, 2020
While ADI was hit hard in April, with revenue declining 21%, the company's...
Exposing Fever Tablet Suppliers and 40+ Relabelers on Aug 05, 2020
IPVM has found 40+ USA and EU companies relabeling fever tablets designed,...
Indian Government Restricts PRC Manufacturers From Public Projects on Aug 04, 2020
In a move that mirrors the U.S. government’s ban on Dahua and Hikvision...