Traveling the World Through Webcams

earth webcam 2 copyWhen I opened my eyes, I found myself watching the Tonight Show with Jay Leno from the comfort of an unfamiliar couch. It was one of those oversized L-shaped couches that you really want but can’t have because it won’t fit in your 700 square-foot apartment. As I was sitting there, enjoying the luxury of a couch big enough to consume my kitchen, my gut told me that something wasn’t right. My suspicions were confirmed when I realized that Jay Leno wasn’t speaking English. I looked over at Toto and said, “I love this couch but I’ve a feeling we’re not in California anymore.” With a look of uncertainty on his face, Toto nodded in agreement and replied, “where the hell are we then?” After doing a little research on Google, I discovered that I was actually in Rome. Yes, as in the capital of Italy. So, how’d I make a 6,000 mile journey without leaving my Sacramento office? I used webcams.

In addition to watching the Tonight Show, I attended preschool, babysat an unruly group of dogs, toured the slums of Brazil, patrolled a used car lot, monitored a weather station, ticketed a red-light violator, and sold a smartphone. I visited private residences and businesses in China, Russia, Japan, Thailand, Brazil, and more than a dozen other countries across the globe. Cool, right? Well, that depends on how you look at it. If you’re anything like me, you’ve already pondered the possibility that somebody could be watching you.

Like any other stereotypical sightseeing tourist, I brought my camera along. Let’s take a look at some screenshots.

Tokyo Cam   Verizon Cam

Daycare Office Cam   Man Gameroom Cam

The top right image was taken from a surveillance camera at a Verizon Wireless store in the Chicago area. What you don’t see in the image is that I had complete control over the surveillance system, including the digital video recorder (DVR). This means that I had the ability to enable and disable recording. Think about the implications that this has. If someone with malicious intent accessed that same system, he or she could easily exploit it to facilitate a robbery. Now, think about this scenario on a larger scale. Do you see where I’m going with this yet?

In addition, the majority of these cameras feature a pan, tilt, and zoom function. What does this mean? Well, if you’re willing to get creative, it means you could easily focus the camera’s attention on a customer’s credit card information. This can be achieved not only by directly zooming in on the credit card but by looking for reflections. If you’re not lucky enough to find a properly positioned mirror, there are other less obvious sources such as sunglasses and windows. Kind of scary, right? I’m guessing the next time you log into Facebook while wearing sunglasses, you’ll think twice.

Now that we’ve considered some potential security risks, lets focus on how we can prevent unwanted spectators from accessing our webcams. Here are some over-the-counter solutions:

  • Protect your webcam with credentials
  • Do not rely on the factory’s default username and password
  • Use a strong 12+ character password containing a mixture of uppercase letters, lowercase letters, and numbers. If possible, include special characters such as @#$%&!
  • Encrypt your webcam’s feed
  • Configure your camera to use a dynamic IP address instead of a static IP address
  • Set up a virtual private network (VPN) to access your camera
  • Utilize your system’s built-in security features

About 99% of the time, I was able to gather sensitive user data from the camera’s web interface. For example, I was able to obtain full names, street addresses, phone numbers, company information, email addresses, and other data. This can be avoided by simply neglecting to associate personal information with your camera.  Most modern cameras have an automated email notification service that alerts administrators when the camera detects motion. This means that, in order to utilize the service, you are required to provide a valid email address. If you insist on using this feature, I recommend establishing a completely separate email account that will only serve this feature. When you establish your separate email account however, be sure to use a fictitious name and don’t associate any additional email addresses (typically used for account recovery).

Although detaching your personal information is a step in the right direction, it may not be enough. Let’s use the Verizon Wireless store as an example. The Verizon Wireless camera didn’t have any information associated with it but I was still able to locate it. How? I used clues from the video feed. For example, a suite number on the front door, a pair of red chairs, and a corner window. First, I focused my attention on the suite number. With the help of Google, I found 23 matching stores. From here, I shifted my attention to the physical structure of the store. By using Google Earth’s street view, I found 4 stores that were located in corner structures. With there only being 4 possibilities now, I was left with two options. I could phone each store while watching the video feed, or I could continue my online search. I decided to continue my online search, which eventually led me to images of the Verizon store that I was looking for. In the end, it was the position of the two red chairs that gave away the store’s location.

Webcams are only the tip of the iceberg. My search extended into large industrial control systems, stoplight systems, enterprise resource planning (ERP) systems, and other highly volatile systems. Looking back on my webcam adventures, I realize just how naive we are. We believe we’re safe when, in reality, we’re only blanketed by a false sense of security. Considering that we live in a technologically advanced world, I can’t help but wonder where this false sense of security comes from. Maybe the blanket is knitted by a lack of education, or perhaps it’s our government’s fault. To be honest, I’m really not sure. I’ll let you decide.

Advertisements

6 thoughts on “Traveling the World Through Webcams

  1. Hey Chris,
    I am a subscriber to your YouTube channel and found my way to your blog after watching your latest video. I think your videos are great and your blog does not disappoint in the slightest. I do not know if I missed this but you should add a subscription to your blog. Also what advice would you give a person that is just getting into the hacking world and wants to make a career (more of the white/grey hat career than the black) out of pentesting and hacking? . Keep up the great videos and blogs.

    1. @MalcolmXX

      I appreciate your support and feedback. I just started the blog… so eventually I’ll start promoting it more.

      If you’re new to security and pen-testing, the best thing to do is start networking with other members of the hacker community. Ask LOTS of questions… and ALWAYS share what you’ve learned with others. Learn the terminology… learn the principles behind security… and experiment through trial and error. BackTrack 5 is a great operating system to use. Familiarize yourself with Linux and the tools that BackTrack 5 provides. As you already know, Youtube is an excellent source of information. Following tutorials is an important part of hands-on learning and understanding practical applications; however, it is important to further research the information presented in the tutorials so you can FULLY understand them. I’ll use “cracking WEP encryption” as an example. You can follow a tutorial on how to crack WEP encryption and get a wireless network’s WEP password. Feels pretty good, right? Yes, but now you need to put in the work and make a little effort. You should be asking yourself how and why you were able to crack the encryption. What tools were used? What do the tools do? What else can the tools be used for? Etc. In addition, you should look at it objectively, meaning you should also learn how to prevent this from happening.

      If you want to make a career for your self, go to school and study information systems security. Bypassing security and exploiting vulnerabilities is only half of the battle. To be successful in the security industry, you need to know how to prevent attacks. There are many levels of security – network security, applications security, database security, and the list goes on. Having a broad understanding of these different levels is important.

      When it comes to obtaining employment, experience is important. How do you get experience? Apply for an internship… get certifications… find a mentor… just try to get your foot in the door somewhere. Your other option is to start your own business and become a private consultant. Regardless, your goal should be to establish credibility.

  2. Sorry it has taken me so long to reply but life has been very hectic lately! Anyways I am trying to get the word out about your tutorials to anyone that has an interest in this field. So definitely keep it up and keep promoting yourself!

    Thank you for the response and analysis on what I need to work on! I feel the same that all of this technology and potential at our fingertips is a great thing however I really am interested also in how the tools work and not just what they do. I will continue to work on my knowledge, skills, and contacts within the community. I appreciate people such as yourself sharing information with others that are interested in all of this!

    I am currently going to school but in a different field from computer information systems however my job and goals are probably going to lead me in this direction anyways. I will take what you said to heart and work on my skills so thank you for taking the time to give me some feedback! Keep up what you are doing!

    1. @Jared
      Visiting the home directory of an unsecured (public) web server (webcam or other web interface) is not a crime. Penetrating a secure web server, however, would be a crime. I thought my agenda was explicit but let me reiterate. The point of this article is not to demonstrate my ability to access a personal webcam, but to demonstrate how susceptible we are to privacy breeches as a result of insufficient security implementations. In addition, the article highlights security techniques that may be utilized to discourage unwanted spectators. Why did I use screenshots to support my article? To create an idea of legitimacy and provide a sense of urgency. You, and every other reader, should note that this article is relevant to business systems, personal systems, and private networks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s