Thursday, April 11, 2013

Confessions of an IP Camera

A past weekend in early April 2013, a fellow #madsec individual (meatball) and I gave a talk at BSides Iowa regarding security weaknesses found in IP Cameras.  The talk focused around various IP camera vendors which put consumers at risk of exposing these cameras publicly via dynamic DNS and UPnP features. 

Our research revealed that not only could an attacker easily identify where these cameras exist and access video and audio streams of unsuspecting users, but often times, collect wifi keys, e-mail, FTP and MSN credentials by simply issuing a .cgi GET request.  Using geo-IP information and Wifi MAC address triangulation, we can pinpoint where these cameras are located to the city block.

We also were made aware that individuals at Qualys presented a similar talk at Hack-in-the-Box on the same weekend as our presentation.  We hope to chat with those individuals about our research plans moving forward. The directory traversal vulnerability in their research looks pretty cool, something we wish we had more time to look at. You can view their research here.

Our intentions are to raise awareness of the practices of these camera vendors as well as create a framework for collecting and organizing this data, as example by the below map demonstrating the ease in which an attacker could gather this publicly available information.  We encourage you to check our presentation out below.

Presentation:  Confessions of an IP Camera  [PDF] 

Update:  (August 14, 2013)
In August 2013, CNN caught wind of these security flaws in IP Cameras and hosted David Kennedy for an video segment which can be viewed below: