Hi, I'm your unmaintained IP camera, broadcasting your life 24/7

Do you operate an IP camera, which is connected to the internet? Did you ever check its configuration? Did you check if the device runs the latest firmware? Did you check whether everybody on the internet can access your camera?

In this article, we share several risks coming with unmaintained IP cameras and tips on how you can secure your device.

Always stay in the loop!
Subscribe to our RSS/Atom feed.

Note
Please note: All pictures in this article show publicly accessible streams, broadcasted by unmaintained IP cameras. We removed sensitive details and don't show any people or private areas.

Finding your device on the internet may be child’s play

More and more people are aware of search engines like shodan.io and censys.io. These search engines index devices instead of websites, allowing searching for IP addresses, network services, and other information. Apart from these search engines, thousands of bots scan the internet with each passing minute.

For instance, let’s enter the search query services.banner: {"camera"} and location.country_code: CZ on censys.io. The following screenshot shows 826 indexed devices in the Czech Republic, tagged as “cameras.” In September 2021, the search index contained more than 2,000 cameras in the Czech Republic.

An image showing IP addresses of 826 Czech cameras.
censys.io shows 826 indexed cameras in the Czech Republic (2018). (πŸ” Zoom in)

Attackers quickly learn about potential targets (such as your unmaintained IP camera) by using these search engines or dedicated scanning tools, freely available on the internet.

After learning the IP address of the potential target, attackers may then run port scans (e.g., by using “nmap”) to get lists of open TCP and UDP ports. These lists may reveal the network services running on the IP camera and security vulnerabilities. The next steps include exploiting misconfiguration and security vulnerabilities, gaining persistent access to the device, scanning your network infrastructure, and other criminal activities.

Never assume that your devices, which run network services and are connected to the internet, are “somehow invisible” to others. Scanning for IP addresses and running network services is fast and feasible.

Attackers might find your physical location

Apart from digitally breaking into your devices, attackers might misuse your camera’s settings and streams to find the physical location of your devices, revealing the address of your home.

Your camera may disclose lots of information, including:

  • Manufacturer and model of your camera.
  • Manufacturer and model of your router to connect to the internet.
  • Local IP addresses, which are used behind NAT on your home network.
  • Your network topology, including other devices on the same home network.
  • Your timezone and NTP server.
  • The name of your video stream (e.g., “living room,” “bathroom”).
  • Buildings around your home.
  • Your e-mail settings, including your e-mail address and e-mail password.
  • Your WiFi settings, including your WiFi password and SSID (e.g., “Sokolova999/1”, “PoΕ‘ta Brno”).
  • Any WiFi networks in the proximity of your camera.
  • …
An image showing WiFi information in camera settings.
This camera discloses WiFi settings and shows WiFi networks in its proximity. (πŸ” Zoom in)

Attackers may combine this information to pinpoint your home. Pinpointing your home results in risks for your “offline life”:

  • Attackers may observe your daily routines and record you.
  • Attackers may conduct social engineering by misusing this information.
  • Attackers may misuse your camera stream to prepare burglary.

Read our article “ Exposed IP cameras may disclose your physical address” for two examples.

Spooky movement of your camera indicates attackers

Depending on the level of access attackers have, they may control your camera remotely. Controlling may include:

  • Rotating your camera to look around.
  • Starting audio recording for eavesdropping.
  • Connecting to your WiFi by using the WiFi password disclosed by the camera.
  • Hacking other devices within your WiFi network.
  • Disabling recording at all.
  • Formating your storage cards to delete all recordings.
  • Deleting log files to erase any traces.
  • …

The following screenshot shows a camera that can be controlled remotely:

An image showing cows as seen by a camera.
Attackers can freely rotate this camera and see more than just cows. (πŸ” Zoom in)

Secure your camera

Consider the following to secure your cameras and similar IoT devices:

  1. Look for security support before buying a new camera (e.g., Does the manufacturer provide security updates?, Are there any negative reports regarding cyber security about this camera?).
  2. Change the default credentials of your camera, including usernames and passwords. Manuals may include the default credentials, allowing attackers to log in easily.
  3. Update your camera’s firmware frequently. Do not forget your device. It runs software as any other computer. Unpatched security vulnerabilities might be exploited to bypass strong credentials.
  4. Harden your device by enabling HTTPS and disabling unused or dangerous features like port forwarding and UPnP.
  5. Use WPA3-SAE to protect your wireless network traffic. If WPA3-SAE isn’t available, use WPA2-PSK-CCMP (sometimes called WPA2-AES).
  6. Shut down your camera if you don’t need it.
  7. Regularly check your camera’s log files for anomalies, such as configuration changes, failed login attempts, and restarts.
  8. Regularly recheck your camera’s settings.
  9. If you are tech-savvy and own appropriate hardware, set up a dedicated VLAN for your camera and configure strict firewall rules. Attackers won’t be able to attack other devices if deployed correctly.

Summary

Your IP camera is another computer running on your home network. Never assume that your camera is 100% secure and hidden from attackers. Carefully check its settings, harden its configuration, and monitor your device.

The final screenshot shows the worst case. This camera seems to be forgotten as its stream is the same for many months:

An image showing a hacked live stream of a camera.
This camera has a message for its owners. (πŸ” Zoom in)

We republished this article in September 2021.

Read also