How to Peer Into Homes, Offices Via Security Cameras
A look over what appears to be a receptionist's desk in an office in suburban Paris, brought to you by a flaw in security-camera software.
CREDIT: Screen grab by SecurityNewsDaily
Like a scene straight out of a high-tech spy thriller, the live feeds of certain home security cameras can be remotely accessed by anyone on the Web — without a password.
Viewing the live video feed is disturbingly simple, thanks to a blogger calling himself "SomeLuser." On January 10, he wrote about the camera flaw, explaining how he used the Shodan search engine, which looks for Internet-connected devices, to find cameras all over the world made by the company TRENDnet.
Normally that wouldn't be a big deal, since such security cameras are made to be Web-accessible. Their owners — for example, homeowners on vacation — can dial up the cameras remotely and enter a password to see live footage.
But SomeLuser had his own SecurView wireless Internet camera, made by TRENDnet. He downloaded a firmware update, dissected it and found some interesting files. Experimenting with his own camera, SomeLuser found that appending a simple text string to the IP address of his camera bypassed the password and delivered a live feed.
So he tried out the workaround on the cameras he found on the Internet using Shodan. It didn't work for every single one, but it worked often enough so that SomeLuser could look into kids' bedrooms and personal offices.
"There does not appear to be a way to disable access to the video stream," SomeLuser wrote. "I can't really believe this is something that is intended by the manufacturer. Let's see who is out there."
And that's exactly what people began doing. After someLuser's blog posting, other people accessed more than 600 security cameras' feeds, posting screenshots from some and even locking in the camera's exact location using Google maps, according to Wired.
Typing "netcam" into Shodan reveals pages of Internet-connected cameras, from Towson, Md., and Cambridge, Mass., to Berlin and Champigny-sur-Marne, a Paris suburb. The hack doesn't work for every camera — SecurityNewsDaily found that about one in six results on Shodan delivered video feeds of homes and offices.
TRENDnet got wind of the glitch and yesterday (Feb. 7), the Torrance, Calif.-based company published firmware updates to resolve the vulnerability in all 20 SecurView IP cameras affected.
This story was provided by SecurityNewsDaily, a sister site to TechNewsDaily.