Don't you hate it when people want to kill the messenger instead of address the problems highlighted in the message?
This time the messenger is Shodan, as the IoT search engine added a new section featuring vulnerable webcams. Ars Technica reported, "The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores."
While Ars certainly did not suggest that Shodan is the root of the problem, earlier this year security vendor Check Point did. After Check Point issued a threat alert urging customers to block Shodan, Vectra CSO Gunter Ollmann responded, "It's a sad indictment of current network security practices that a reputable security vendor felt the need and justification to add detection rules for Shodan scans and that their customer organizations may feel more protected for implementing them."
Ollmann also pointed out, "In general, most people don't identify what Google (or Microsoft, Yahoo or any other commercial search engine) does as bad, let alone illegal. But if you are familiar with the advanced search options these sites offer or read any number of books or blogs on ‘Google Dorks,' you'll likely be more fearful of them than something with limited scope like Shodan."
Regarding Shodan's new vulnerable webcam feed, it features cameras which have an open port, lack authentication and stream video. Shodan captures an image and moves on to the next. The vulnerable webcams "use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place." Ars explained that people who have paid to be a Shodan member can access the vulnerable webcam feed at "images.shodan.io." But even if you have a free Shodan account, then you can login and search webcams using the filter "port:554 has_screenshot:true."
Blocking Shodan, as Check Point suggested, does not make vulnerabilities magically disappear; it won't stop bad guys from exploiting improperly configured services, as it is far from the only scanning tool that exists. Cyber thugs will continue to use other scanning tools, since "Shodan is not an anonymous service." In fact, Shodan founder John Matherly made a case to Softpedia for Shodan actually being a "force for good" as hundreds of thousands of devices have been secured after security researchers came forward to report vulnerabilities found via the search engine.
Although security researcher Dan Tentler estimated that there are millions of insecure webcams connected to the Internet and discoverable with Shodan, it is far from being the only site that features insecure cameras.
As for blacklisting Shodan, Tentler told CSO's Steve Ragan that Check Point's advisory had "some massive, glaring issues, especially from a firewall vendor that has been around for as long as they have." Tentler added, "Just blocking Shodan won't stop access to your poorly written Web app, or your publicly exposed admin interface."
"The bigger picture here is not just personal privacy, but the security of IoT devices," security researcher Scott Erven told Ars. "As we expand that connectivity, when we get into systems that affect public safety and human life—medical devices, the automotive space, critical infrastructure—the consequences of failure are higher than something as shocking as a Shodan webcam peering into the baby's crib."
If you don't want strangers staring into your private spaces, taking screenshots or using the Internet to watch you and yours, then put a password on your webcam. Make it unique, as there is nothing secure about using default passwords on wireless IP cameras.