40K IoT cameras worldwide stream secrets to anyone with a browser.
40K IoT cameras worldwide stream secrets to anyone with a browser.
www.bitsight.com
40K Security Cameras Found Compromised Online | Bitsight
17 comments
-
-
40k? Impressive resolution.
-
For the Emperor!
-
-
Those cameras are there since 90s I remember watching them in ActiveX in real media player plugin in IE. Nothing changed.
-
40K?
Praise the Omnissaiah!
-
It would be nice to know what brands or models are most vulnerable.
-
What this is talking about is not really about the brand or model, its just about them being misconfigured. These cameras were exposed to the internet with either default credentials or no authentication.
Theres very few good reasons to expose a camera to the internet at all, just access it over a VPN. If for some reason someone really needs to access it over the internet (I genuinely cannot think of any), then they should put some proper authentication in front of it.
-
An IP camera may stay in use for a decade or more without any firmware updates. You shouldn't trust any sort of authentication that's built into the camera to be secure. Keep them on an isolated LAN and only allow access from the server that's running the DVR software.
-
-
Any camera you expose to the internet with no protection is vulnerable. The issue is just that they're accessible over the internet without a password.
Follow best practices by keeping your cameras on a separate VLAN that's isolated from the internet, and you'll be fine. Use a VPN like Tailscale to view your cameras while away.
-
-
There's a site that lists all the insecure cameras: http://www.insecam.org/
-
Even when they are protected, when did they receive the last update? There are probably so much more vulnerable IoT devices.
17 comments
Shodan.io is the searchable index of open IoT devices.
Change the default password, people!
Hard-coded default passwords have been illegal in California since 2020, so it shouldn't be as much of an issue with newer devices. Companies aren't going to make California-specific versions of their devices, so they'll often just follow the California standards everywhere.
To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.
I still wouldn't ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.
Yes, but no one checks the legality of cheap Chinese devices from Amazon.
Can't remember when it came into effect, but randomized device specific passwords are also mandatory in the EU now. This was relatively recently though. It means every single device (item, not model type or class) has to have an individual password (also usually it's on a sticker or something).
And yes, connecting any ip camera to the Internet is just dumb.