back to article Peep show: 40K IoT cameras worldwide stream secrets to anyone with a browser

Security researchers managed to access the live feeds of 40,000 internet-connected cameras worldwide and they may have only scratched the surface of what's possible. Supporting the bulletin issued by the Department of Homeland Security (DHS) earlier this year, which warned of exposed cameras potentially being used in Chinese …

  1. VoiceOfTruth

    It all wears rather thin

    Chinese espionage campaigns. Blah effing blah.

    How about American spying? You think they don't do it? It's reds under the beds again. Oh those bad Commies. But American spying is good clean and benefits the spied upon.

    As the USA imposes tariffs against supposedly friendly countries, an act of economic war, don't think the USA is on 'our' side. It isn't. We should kick all American technology companies out of Europe.

    1. Sp1z

      Re: It all wears rather thin

      Indeed it will be interesting to see when America brings all manufacturing back to its shores (lol, yeah right). The web interface for these new US cameras will probably be orders of magnitude worse and written by one of Elon's script kiddiez using ChatGPT.

      And that's before the NSA have demanded a backdoor for a live feed.

      1. Resmashed

        Re: It all wears rather thin

        We are not all useless idiots in America, we have Trump now and him and Elon Musk are butting heads. Granted their history and both being business men, I’m willing to bet there will not be security cams manufactured by Musks “Kiddies”. Pay attention to the world wide news. Keep up. America is going to be just fine. Everyone had their chance to honestly manufacture things for us and look at wha happens. Every other day our Medical Records are held hostage with ransomwhere all over the country. Theres some cyber security issue every two seconds with something manufacturered in a different country. Some bored teenage nerd in a third world garbage country will sit there putting ransomwhere effecting someone’s medical records here who almost dies or does die as a result so the piece of trash can have an adrenaline rush. Stop acting like you all are perfect. Your products are garbage. We don’t want them. Maybe we will need to go kind of dark for a while with technology, but we don’t want your garbage, child, slave labor trash that gets hacked anymore!!

    2. I am the liquor

      Re: It all wears rather thin

      Chinese government back doors are rather academic when the front door is left standing open.

      1. teknopaul

        Re: It all wears rather thin

        The idea of a camera, is often to make public, a place that's otherwise dark & dingy where criminals can lurk.

        E.g they used to put mirrors on atms. Now they put cameras.

        The idea that cameras are necessarily "insecure" because people generally can use them, is debatable.

        I think publically accesible camera of public spaces _should_ be open to public viewing, and if they were, security in public spaces & scrutiny of security forces would be improved.

        Security bods often mixup irl and oti security. It bugs me. They get paid to winge.

        Does more stronger security forces make you more secure. Or do more eyes?

    3. wolfetone Silver badge

      Re: It all wears rather thin

      Right now China have released a better, more efficient, AI than whatever America has produced. They're making advances in medicine and heathcare.

      What are America doing? Ripping babies out of the arms of their mothers and sending in the army to shoot the people who protest about it.

      Some country.

    4. that one in the corner Silver badge

      Re: It all wears rather thin

      There is a lot of Chinese kit involved in these, but - let's be honest - just because it is cheap and quickly made: who wants to spend the extra money on the same thing, with the same flaws, made elsewhere?

      No need to look for nefarious spying reasons for the leaky cameras, no matter how much we'd like to think we're that interesting.

      1. MachDiamond Silver badge

        Re: It all wears rather thin

        "There is a lot of Chinese kit involved in these, but - let's be honest - just because it is cheap and quickly made: who wants to spend the extra money on the same thing, with the same flaws, made elsewhere?"

        Once the thing works, there's no value in considering the security aspects as that will delay production, shipping and sales. I'm sure US Congresscritters will confidently proclaim that it's the CCP plotting to spy on everybody. The reality is that there's no point in spying on everybody and it takes too many resources to separate the wheat from the chaff with that much data. It's just commerce getting crap product on the market as fast as they can, selling it and then getting out once everybody sees that the stuff is crap. A technical exam of dashcams showed that many of them are the exact same guts in various different housings. Everything in a price bracket will be down to between 1-3 designs. A fancy case at a much higher price could be the same as the low price junk. The hype on the box is a complete lie and you aren't going to find a "bargain". A good one, if you can track one down, will be expensive.

    5. jobst

      Re: It all wears rather thin

      Agreed, the US is not on our side!

      There is not a year when Microsoft is NOT in court in Den Haag/Europe.

      Apple NOT spying on us?

      Google NOT spying on us?

      M$ NOT spying on us?

      Give me a break.

    6. RobDog

      Re: It all wears rather thin

      From Blackadder on German spies:

      “Filthy Hun weasels fighting their dirty underhand war! [And, fortunately,] one of our spies Splendid fellows, brave heroes, risking life and limb for Blighty…”

    7. BartyFartsLast Silver badge

      Re: It all wears rather thin

      I'm 100% certain the US and all other countries spy on each other, that doesn't stop this being news, not does it mean the Chinese aren't involved.

      The big news bit of the story is that these cameras were installed in sensitive locations with no thought for or testing for security.

    8. steelpillow Silver badge
      Pint

      Re: It all wears rather thin

      @VoiceOfTruth Not often I agree with you.

      But why trawl and analyse the cesspit when you can pay the dotcoms to sell the sludge on to you for a fraction the cost?

    9. cmb11

      Re: It all wears rather thin

      Yes all countries are spying on each other, even the 5 eyes partners, all be it passively rather than actively, but we don't need to help people spying by leaving unsecured cameras open to the internet or cameras still with the default passwords.

      As someone who has security clearance and is trained in one of the worlds leading CCTV software products, it's not that hard and professionals should be putting cameras on closed networks with the NVR/Management servers having 2 NICs one on the camera network and one, sitting behind a firewall, with only the ports needed for external access. Then there's the age old issue of passwords and MFA, people just use the same password for everything, normally dictionary based, normally already on some list on the undernet and MFA is just a pain for people unless they are forced to use it, then they wonder why their credit card was just used to buy a round of drinks for 500 people in a bar in Moscow...

  2. IGotOut Silver badge

    I was doing this over 20 years ago...

    ..with a simple Google search. Great to see little progress has been made.

    1. andy gibson

      Re: I was doing this over 20 years ago...

      Yep, it was Axis cameras back then

    2. Roland6 Silver badge

      Re: I was doing this over 20 years ago...

      20+ years ago, we were putting webcams on the internet, calling them Surf cams etc. and encouraging people to connect and watch…

    3. Mint Sauce
      Facepalm

      Re: I was doing this over 20 years ago...

      I was just thinking the same. I once managed to find a PTZ camera connected to someones model train setup. I admired their dedication if not their security!

      <shuffles off to double check passwords and settings on own IP cameras, and to wave at whoever is watching from afar>

      1. heyrick Silver badge
        Happy

        Re: I was doing this over 20 years ago...

        There was a quiet little PTZ someplace in Japan just next to a railway. The train was cute, I know, I watched it. More than once.

    4. Mr. Flibble

      Re: I was doing this over 20 years ago...

      https://infosec.exchange/@shodansafari

    5. hoola Silver badge

      Re: I was doing this over 20 years ago...

      I think that the point that is being overlooked is that it is very little to do with them being Chinese (almost all the IoT stuff is made there anyway) but that people & companies persist in connecting all sorts of stuff to Internet connected networks without a thought.

      It is not that long ago that routers started having randomised initial passwords. Then we have the stupidity that huge numbers of people appear to want all these Apps to control shite from their phone,

      We are reached the point quite a few years ago where it has become pretty much impossible to protect people from the number one threat - themselves!

      This applies to companies as well.

  3. Anonymous Coward
    Anonymous Coward

    "Cyber Actors"

    "Look at me -- I'm a computer!"

    1. that one in the corner Silver badge

      Re: "Cyber Actors"

      Nicholas Craig masterclass on How to be Sci-Fi

  4. Anonymous Coward
    Anonymous Coward

    No Mention Of.....

    .....SHODAN. Really?

    Quote (Wkipedia): "In November 2021, PCMagazine described how Shodan was used by AT&T to detect Internet of Things devices infected with malware."

  5. Jason Bloomberg Silver badge
    Facepalm

    "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea"

    It should be; but it isn't. And many users don't even know they have done something stupid and potentially dangerous.

    Every reader here should know but why would Joe Public? I don't recall any public information campaigns or warning stickers on product like there are on cigarettes and for album lyrics.

    The UK and Europe have at least enacted legislation to try and prevent people connecting unsecured kit to the net but it's not 100% effective.

    I imagine both would be deemed unacceptable in the US for being some sort of 'infringement upon freedom', something only commies, socialists and non-patriots would support.

    1. that one in the corner Silver badge

      Re: "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea"

      > Every reader here should know

      Should jolly well hope so:

      Wed 21 Feb 2018 Rock-a-byte, baby: IoT tot-monitoring camera lets miscreants watch 10,000s of kids online

      Mon 29 May 2017 Internet of snitches: Anyone who can sniff 'Thing' traffic knows what you're doing

      Thu 9 Mar 2017 Oops! 185,000-plus Wi-Fi cameras on the web with insecure admin panels

      Thu 3 Sep 2015 IoT baby monitors STILL revealing live streams of sleeping kids

      Thu 20 Nov 2014 Webcam hacker pervs in MASS HOME INVASION

      Sun 17 Aug 2014 Boffins find hundreds of thousands of woefully insecure IoT devices

      7th February 2012 17:01 GMT TRENDnet home security camera flaw exposes thousands

      Then I got bored and tried Ars Technica

      Jan 11, 2011 Peep show: inside the world of unsecured IP security cameras but I missed the El Reg bite and stopped.

    2. Anonymous Coward
      Anonymous Coward

      Re: "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea"

      How does the average person/organization NOT have everything on their network behind their NAT router? It would seem that would be the default just connecting to the local network.

      1. hoola Silver badge

        Re: "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea"

        I supposed it depends if you are accessing the IP address and the router has not gone and allowed holes to be drilled through from the outside to support said camera,

        Given that "simplicity" but setting something up with a button press appears to outweigh any security concerns is a large part of the mess we are in,

        1. Excused Boots Silver badge

          Re: "It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea"

          uPnP

          Should be mandated to be off by default, but it isn’t and left on for ‘ease of use’, as you, rightly, say.

          And once all sorts of holes are punched through the firewall, then all bets are off!

  6. Anonymous Coward
    Anonymous Coward

    Finding them isn't quite as simple, but far from impossible

    (plus technical-sounding stuff about fingerprinting and finding web APIs)

    The "isn't quite as simple" means having to wade through all of the documentation for nmap plugins and nessus scripts?

    If anyone has been concerned about these cameras and read up any of the online newstories for the last 25-plus years, they would already know about the equally old tools that searched for open cameras. Back when having a webcam was exciting and cutting edge, finding random ones across the globe was the game to play: after looking out over Sydney Harbour from a deliberately open camera, the next one on the list was probably an office in Hong Kong which let you play with the PTZ.

    A good chunk of this story read like the DOHS saying "oh, we were really clever, here are all the things we did, we are worth paying, Sir" rather than "we tried the tools that worked last century - well, after we remembered to download the latest versions".

  7. TimMaher Silver badge
    Facepalm

    CCTV

    Remember that? It was “closed circuit”.

    Divs.

  8. DS999 Silver badge

    What possible problem are cameras in a gym?

    The gym my girlfriend goes to has a few cameras accessible from its web page - just stills taken every minute or so. It is great for telling her when the gym is busy and when it isn't. I checked it out and you can barely tell a 6'4" man from a 5'4" woman from the distance/angles and it isn't even in color. It is female owned so I wouldn't be at all surprised if they took the potential for stalking into account with the low quality images provided - just enough to tell how busy it is but not nearly good enough to identify any specific people. I would never be able to tell if she's there or not from looking at it.

    Now actually letting someone connect to directly to the cameras themselves is a different thing, and obviously stupid given their notorious security record.

    1. MachDiamond Silver badge

      Re: What possible problem are cameras in a gym?

      "The gym my girlfriend goes to has a few cameras accessible from its web page - just stills taken every minute or so. It is great for telling her when the gym is busy and when it isn't."

      If members need to badge in/out, it would be simple to know how many people are at the gym without needing to have cameras online. Without access controls, it's not hard for security cameras to do a rough count and send that to the web site where there's a dial gauge that reads from empty to full.

      It's been ages since I've wasted money on a gym since there's always plenty of physical work that needs doing on my patch. When I would go, it didn't take long to figure out the times when it was always busy. Even when busy, I could always find some place and gear to work out. I could save some people a bunch of money if they want to come to my house and help with projects in the garden. During peak season, I'd be sending them home with boxes of good stuff. Damn squirrels found a way into my sprouting pepper patch and wiped those out. Back to the Tractor Supply for another role of fencing and some insulators to hook up the electric fence. Don't think I'm not above watching through the window with a big red switch in my hand.

      1. DS999 Silver badge

        Re: What possible problem are cameras in a gym?

        Its not just knowing how many people are in the entire gym, you have to know what they're doing. Her gym has classes, so knowing "150 people are currently inside" could mean it is totally packed if there are no classes at that time, or it could be half empty if there are three classes with 30 people each.

        It also depends on what you want to do, i.e. cardio, dumbbells, racks, machines and seeing the photos will tell you how busy the area you are going to use is.

        1. Yet Another Anonymous coward Silver badge

          Re: What possible problem are cameras in a gym?

          >you can barely tell a 6'4" man from a 5'4" woman

          And somehow this worries Republican lawmakers

  9. JessicaRabbit

    You'd think they'd have learned back when wardriving open Wi-Fi was all the rage; if you let hardware manufacturers skimp on security, they will, every bloody time.

  10. Roger Kynaston

    not surprised

    Quite a few years ago I was working at a local authority in London and they asked me to probe some new networked CCTV cameras they were trying. Nmap showed that port 80 was open and everyone in the team enjoyed looking at all the passers by at Fulham Broadway. The only change I expect is that it now uses https.

    1. Yet Another Anonymous coward Silver badge

      Re: not surprised

      >everyone in the team enjoyed looking at all the passers by at Fulham Broadway

      They should probably get a pet

  11. Omnipresent Silver badge

    I robot

    Wait until you hear what your vacuum sees. I always thought ring cameras should be an illegal breach of individual liberties as well.

    1. TimMaher Silver badge
      Coat

      Re: “what your vacuum sees”

      Vacuum:- “I’ll gather the wet cloth out. Don’t be ashamed.”

    2. Will Godfrey Silver badge
      Big Brother

      Re: I robot

      I lost count of the door cams I have to walk past going from home to the shopping centre. There are at least 83/84 - It's a 10 minute walk.

    3. heyrick Silver badge

      Re: I robot

      Here in France you can have cameras with the following provisos: you need a notification which offers the right for somebody to have their footage deleted, and you cannot have it looking at land that you don't own. So these doorways looking out to the street, not legal.

      I have cameras, but I'm rural and while one can see beyond my land, it's a field thirty metres away and the resolution isn't good enough to tell anything useful at that distance.

      1. Excused Boots Silver badge

        Re: I robot

        At least in the UK, the assumption is that if you are in a public place, ie walking down the street, then you have no expectation of privacy. So I have a Ring doorbell camera, it sees everything in my front garden and also the street outside, my front garden is my property and (within reason) can do whatever I want, and the street is a public space. On a private property, a shopping mall for example, then yes they are supposed to have a sign explaining that video recording is happening in here, and contact details for further information and (maybe) how to request copies of the recordings of yourself and your rights - something which absolutely nobody ever, ever bothers with.

        In theory I could take a camera outside on the street and follow you around recording everything you do, unless you go into a shop, that’s a private, not a public area, I have no right to record you there. In practice I could be accused of harassment, but it would be up to a Court to decide.

        Imagine this, I take a trip to Paris with my partner, and I take some video footage of her in front of the Eiffel Tower, but also happen to capture a number of Parisians in the background going about their lawful business? Could they legally demand that I delete the video?

        Or have I missed the point? I’ve probably missed the point. But absolutely more than happy to have the legal situation explained to me.

        1. Yet Another Anonymous coward Silver badge

          Re: I robot

          France has very weird rules about use of images of people photographed in public.

          They are also contradictory if they are for artistic uses (France is pro-artist) or for commercial use (France is not so pro-commercial)

          ps. It is also illegal to take photos of the Eiffel Tower at night

  12. Mog_X

    I saw the title of this post....

    and thought it was about what Roboute Guilliman and Yvraine might have been up to :-)

  13. Marty McFly Silver badge
    FAIL

    So just what is the problem?

    I read the article looking for a brand reference or some sort of vulnerability. Nothing jumped out at me. So no panic for the kit I administer.

    This appears to be an article more about bad firewall rules rather than camera issues. That actually makes the problem worse - if a camera is exposed, what else is the network address leaking? It reeks of a 'get it working' admin who punched a hole to 'solve the problem' with little regard to security implications.

    If that is their standard operating procedure, what other holes have they made?

    1. David Hicklin Silver badge

      Re: So just what is the problem?

      I suspect that UPnP on routers is the problem with the camera's automatically opening up the ports needed for internet access

    2. Excused Boots Silver badge

      Re: So just what is the problem?

      "It reeks of a 'get it working’ admin”

      Problem : 'This piece of software isn’t working properly’

      Solution : ‘Make everyone a domain admin, now it works’

      Result : You now have many, many more problems!

  14. Anonymous Coward
    Anonymous Coward

    This...

    ...has been known for aaaaaages. There are dedicated websites that exist for browsing open cameras.

    It goes back as far as Google Dorking for banners.

    Have these "researchers" been under a rock?

  15. Anonymous Coward
    Anonymous Coward

    insecam

    insecam.org

    This is the most scary site I've ever visited ! Some of the cams there, years ago, were remote controllable and I was able to rotate them with the default password !

    One was installed in the living room of an elder lady ! I was able to watch her coming & going, switching the TV on, etc ...

    Gosh, some people are really over the top to even do that !

    1. Ken Hagan Gold badge

      Re: insecam

      Possibly installed by a well-intentioned but naive family member.

    2. Yet Another Anonymous coward Silver badge

      Re: insecam

      >One was installed in the living room of an elder lady ! I was able to watch her coming & going, switching the TV on, etc ...

      Not to mention, opening Parliament, trooping colours etc etc

  16. 0laf Silver badge

    What's new?

    Saying there are IoT devices openly detectable across the internet is the IT press equivalent of a Daily Express snow panic story in winter.

  17. Resmashed

    Been there done that. It was a nightmare. I won’t ever use any cameras again. My good old fashioned photographic memory serves me much better.

  18. martinusher Silver badge

    Not every image is confidential

    If you don't want your camera to stream images to the world then the answer's obvious -- don't connect it to the Internet. We don't need to harden everything against Chinese State Sponsored Spies because, frankly, watching nothing happening in our side yard or not particularly fruitful or edifying. Those cheap cameras have probably got adequate security for household use -- just as our front door lock is probably adequate to deter casual intruders but isn't going to stop determined thieves.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like