Our research revealed that not only could an attacker easily identify where these cameras exist and access video and audio streams of unspuspecting users, but often times, collect wifi keys, e-mail, FTP and MSN credentials by simply issuing a .cgi GET request. Using geo-IP information and Wifi MAC address triangulation, we can pinpoint where these cameras are located to the city block.
We also were made aware that individuals at Qualys presented a similar talk at Hack-in-the-Box on the same weekend as our presentation. We hope to chat with those individuals about our research plans moving forward. The directory traversal vulnerability in their research looks pretty cool, something we wish we had more time to look at. You can view their research here.
Our intentions are to raise awareness of the practices of these camera vendors as well as create a framework for collecting and organizing this data, as example by the below map demonstrating the ease in which pwnage could occur. We encourage you to check our presentation out below.
Presentation: Confessions of an IP Camera [PDF]