If you are in public, you are filmed. If you walk into a cafe, the owner will take you to the cashier. Visit a bigger store and there’s a good chance they’ll have your face as soon as you walk through the doorstep. At least one or two of your neighbors film you as you walk through your neighborhood, and many cities monitor traffic with red light cameras at major intersections. The question is no longer whether you are in front of the camera, but rather how many different angles you’ve been taken during your day.
With so much surveillance going on and with surveillance systems gaining in functionality online every year, it’s only natural that securing these systems becomes … complicated. And that many are secured incorrectly or not at all. Because so many cameras and surveillance systems are completely open, it is possible for anyone with access to the Internet to literally watch thousands of cameras online using only Google and understanding the Net like a kindergarten child. With a little time and patience, almost any system, from a set of residential cameras to those used by your local police force, can be accessed, viewed, and even reset if not properly secured. Of course, if you can do that, it means that anybody can do it.
? Do you feel even more secure?
Although relatively new to the surveillance market, IP cameras have quickly established themselves and are rapidly stealing market share and consumer preference over traditional (analog) cameras. In an analog system, all cameras should be wired directly to a central recording system using an analog cable (typically RG-59 or RG-6 coaxial). Installation can be a financial and practical nightmare, especially on large properties where there can be hundreds or even thousands of feet between the cameras and their base station.
IP cameras often present an interesting alternative. Using the same basic technology as your computer, IP cameras take their own IP addresses and stream video directly over a network without connecting to a DVR or control platform. Larger systems can integrate multiple IP cameras using an NVR (Network Video Recorder) that connects to and records multiple cameras at the same time. This capability can reduce installation costs by several thousand dollars at sites where analog cameras would require long or complex cables.
Additionally, IP cameras often offer the added benefits of higher resolution (with some models capable of 10 megapixels or more) and a more familiar platform that users can work with, which means they are also frequently preferred for small installations. Many future-oriented government, commercial and even residential users are already standardizing their security on a fully IP-based system, and most surveillance industry insiders believe this trend will continue for the foreseeable future.
Once an IP camera is installed and online, users can access it using its own internal or external IP address, or by logging into its NVR (or both). In either case, users only need to load a simple browser-based applet (typically Flash, Java, or ActiveX) to view live or recorded video, control cameras, or verify their settings. As with anything else on the Internet, an immediate side effect is that online security becomes an issue as soon as the connection becomes active.
Although most NVRs require usernames and passwords to access them, many individual cameras do not. An NVR can have the most advanced password imaginable, but if its remote cameras are online and unprotected, anyone with a web browser can completely bypass system security, no hacking is required.
No matter where a system is installed, if it is present online, it is vulnerable. All it takes is time and a little bit of Google research to get to it.
Find open doors
Finding IP cameras with Google is surprisingly easy. While the information the search engine provides about the cameras themselves is usually little more than an IP address and a camera name or model number, Google still provides those in the know how to request full listings of. IP cameras and web surveillance systems around the world.
The secret is in the research itself. Although a standard Google search usually does not find anything out of the ordinary, the association of advanced search tags (“intitle”, “inurl”, “intext”, etc.) with the names of commonly used cameras or fragments of ‘URL will provide direct links to watch live video from thousands of IP cameras.
For example, a standard Google search for “Axis 206M” (a 1.3 mega-pixel IP camera by Axis) yields pages of datasheets, manuals, and sites where the camera can be purchased. Change the search to “intitle: ‘Live View / – AXIS 206M'”, and Google returns 3 pages of links to 206M which are online and searchable. The trick is that instead of searching for anything related to the 206M, the modified search tells Google to specifically search for the name of the camera’s remote viewing page.
Some cameras are even easier than that. For example, although a search for “intext: ‘MOBOTIX M10’ intext: ‘Open Menu'” will display direct links for M10s that are online and ready to be viewed, simply searching for “Mobotix M10”, the mark and the camera model returns basically the same results. It’s just a matter of which cameras are online and how their viewers are structured. While some of the links will be to password-protected cameras or to cameras that have been deliberately left open to the public, the vast majority will be from users who wanted them to be private.
As IP cameras have become more popular and this Google trick has become more widely known, entire communities have formed to find and view unsecured cameras; many larger forums (such as 4chan and SomethingAwful) have had heavy threads on the subject. For ease of access, members of these groups have posted Google-ready search string pages that provide access to dozens of different camera makes and models, meaning virtually anyone can start with. a small effort. No technical knowledge, finesse or prior experience required; just find a list of search terms (an easy task with any search engine) and start copying and pasting into Google.
It’s so easy that even a freelance journalist can do it. I launched my browser, found a list of search terms, and went exploring.