Do you own one of these cheap IP cameras from the local discount store, or did you buy one on Alza? Maybe you asked yourself why the camera is always looking around, autonomously moving, or even making noises? It is terrifying to see how many IP cameras are publicly accessible by everyone around the world. Its owners don’t change default passwords, leave security configuration untouched, and seem happy that their camera broadcasts their family room around the clock.
In this article, we show you several risks that come with cheap IP cameras and tips on how you can secure your device.
Always stay in the loop!
Subscribe to our RSS/Atom feed.
They will find your device
There are 4.3 billion IPv4 addresses, so it’s unlikely that “they” find your device, isn’t it? It is very likely that your IP camera is already cataloged somewhere. Thousands of bots scan the internet around the clock for devices like insecure IP cameras. There are search engines that allow everybody to search for such devices.
Two well-known search engines are shodan.io and censys.io. Let’s find cameras in the Czech Republic using censys.io. We only have to enter location.country_code: CZ AND tags: camera:
censys.io shows 826 IP cameras in the Czech Republic. Since we know the IP address, it is easy to scan for additional information (e.g., using nmap).
censys.io is only one of many search engines or websites that provide initial information. Attackers don’t have to guess your IP address for hours. They can use a search engine.
By the way, you can search for many other devices:
- Find Raspberry Pis in the Czech Republic: location.country_code: CZ AND tags: raspberry pi
- Find NAS in the Czech Republic: location.country_code: CZ AND tags: nas
- Find servers running Debian and OpenSSH on port 22: 22.ssh.v2.metadata.product: OpenSSH AND metadata.os: Debian
Hopefully, you see that finding your devices is easy.
They can pinpoint your home
Now you might think that attackers only have your IP address. IP addresses aren’t sufficient to pinpoint your home, are they?
Attackers can access your camera even if they only know its IP address. They mostly need no additional information. Your camera itself discloses lots of information about your home (depending on your camera):
- Manufacturer and model of your camera
- Manufacturer and model of your router
- Internal IP addresses
- Your network topology
- Your timezone and NTP server
- The name of your video stream (e.g., “living room,” “bathroom”)
- Buildings around your home
- Your e-mail settings (including your e-mail address and e-mail password in some cases)
- Your WLAN settings, password, and SSID (e.g., “Sokolova999/1”, “Pošta Brno”)
- WLANs around your camera
Attackers can combine this information to pinpoint your home. Pinpointing your home isn’t only risky for your online devices but also for your “offline life”:
- Attackers can use this information (especially live streams) to observe your daily routines
- Attackers can use their knowledge for social engineering
- Attackers can use this live information to commit burglary
They are in full control
Your camera not only discloses lots of information, but attackers can control it remotely. Attackers can:
- Rotate your camera to look around
- Start audio recording for eavesdropping
- Connect to your WLAN by using the password disclosed by the camera
- Hack other devices within your WLAN
- Disable recording at all
- Format your storage cards
- Delete log files to erase all traces
Admittedly, that’s pushing it a bit. Not every camera discloses everything by default or allows remote control.
Secure your camera
After giving you a sermon, we want to provide some tips to secure your camera:
- Don’t buy cheap cameras that don’t have any security features.
- Change default usernames and passwords.
- Enable HTTPS, if available.
- Update your camera’s firmware.
- Disable port forwarding and UPnP.
- Use WPA2-PSK-CCMP (sometimes called WPA2-AES) only.
- Turn off your camera when you don’t need it.
- Regularly check your camera’s log files
- Use network segmentation, if available (e.g., by connecting your IP camera with your guest network only).
- Regularly check its settings and change passwords.
Finally, always remember that no device on earth is or will ever be 100% secure.
There is already an appropriate summary online: