When purchasing a security camera to keep an eye on home or family, most consumers likely assume that security goes both ways, but this week we were reminded yet again of the security failures that plague the “Internet of Things.” Shodan, a search engine for Internet-connected devices debuted a new section of its website to let users search for insecure webcams.
Shodan launched in 2009 and has since maintained controversial feeds of Internet of Things vulnerabilities. The new section of the site gives you a glimpse into businesses, bedrooms, patios, and anywhere else someone might put a security camera. Shodan subscribers can view the feed at images.shodan.io/, and unpaid members can search via port:554 has_screenshot:true, Ars Technica reports.
The website captures screenshots of the vulnerable webcams and aggregates them on the site. Shodan is constantly looking for IP addresses with insecure open ports, and takes a screenshot when it finds one with a video feed, Ars explained. The feeds are vulnerable because they use the Real Time Streaming Protocol (RTSP), used to control streaming media sessions, and aren’t password protected.
https://t.co/vH2jYG3zVw— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) January 23, 2016
"secured by RSA"
In LA, even! well done!
https://t.co/e8u134VGBN— D̒͂̕ᵈăᵃn̕ᶰ Ť̾̾̓͐͒͠ᵗe͗̑́̋̂́͡ᵉn̅ᶰtᵗl̀̓͘ᶫe̓̒̂̚ᵉrʳ (@Viss) January 23, 2016
Shodan isn't a search engine for sleeping kids
ITS A SEARCH ENGINE FOR DEAD PEOPLE o/
Jessy Irwin, security evangelist for 1Password says that vulnerabilities like those displayed on Shodan are a direct result of the Internet of Things design process.
“Technologists have endless ideas about how to create mashups of everyday objects and appliances with the Internet, but they’re trying to innovate so quickly that they are not stopping to ask whether some devices truly should be connected or not,” Irwin said in an email to the Daily Dot. “Privacy and security assessments aren’t making their way into products for the home: if they were, manufacturers of at-home surveillance cameras and baby monitors would very easily see that they need to add a layer of security into their products that ensures video feeds are only accessible by the right users in a controlled manner.”
If it seems like there’s a new IoT security vulnerability unveiled before the last one you heard about is even patched, it’s because while manufacturers are trying to connect pretty much every aspect of your life to the Internet as cheaply as possible, they’re putting the excitement about connected fridges and baby monitors and televisions before the need to adequately address security.
A great example of how short memory spans are when it comes to IoT and security is VTech’s massive hack. Last year, the toymaker exposed millions of accounts, compromising information like names, email addresses, download history, passwords, security answers for passwords, IP addresses, and mailing addresses. Just a few months later, the company was hawking its connected home wares at tech’s biggest trade show, and USA Today included it in a “best of” CES roundup.
There’s currently no group that provides ratings for IoT devices like Kelly Blue Book does for automobiles. As Ars explains, “some combination of regulatory stick and rating system carrot seems likely to increase IoT security across the board.”
I Am The Cavalry is one group working on making security standards for IoT devices that manufacturers and consumers can use to see whether their products are safe. The organization recently released a “Hippocratic Oath for Connected Medical Devices,” for physicians using connected devices to have a better understanding of the technology and security of the tech they’re using, and maintain privacy and safety.
“In terms of legal requirements or standards, there’s no single set of security rules that internet-enabled devices have to meet and there’s no governing body that is mandating stronger security requirements of the technology industry,” Irwin said. “As a result, some companies are ignoring security altogether or cobbling together their own ‘solutions’ that ignore some of the simplest tenets of security. These gaps in IoT security leaves consumers exposed and vulnerable to attack, and they’re almost impossible to close once products make it into people’s homes.”
A cursory look at Shodan’s webcam search showed some eerie footage—backyards, bedrooms, living rooms, and kitchens. And yes, even sleeping babies.
For consumers, the idea of having devices and appliances that talk to you and supposedly make your life easier is quite compelling. Until you realize that those very devices could pose security and safety risks for the family or home you got them to protect in the first place.
“What users can do with the devices they already own is simple: be proactive, and be sure to regularly update the software that runs their devices, and be sure to use them on a closed, secure home network that is protected by a strong password,” Irwin said.