In 2009, programmer John Matherly launched Shodan, a search engine that lets users search for devices that are connected to the internet. The program, which is named after the AI antagonist from the System Shock games, has previously made headlines for its ability to access dangerous, internet-connected systems such as traffic lights. Now, the browser is back under the spotlight after it recently launched a new section that let users browse vulnerable webcams.
According to a report from Ars Technica, security researcher Dan Tentler discovered that the feed included images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.
"It's all over the place," he told Ars Technica UK. "Practically everything you can think of."
Shodan trawls the internet looking for any IP addresses with open ports. If it finds any that lack authentication and stream video, the new script will take a picture of the feed before moving on. The cameras are vulnerable because they use the Real Time Streaming Protocol (RTSP, port 554) to share video but have no password authentication in place.
One of the biggest fears with this vulnerability is that users could find images of sleeping children, as many parents now use smart baby monitors. The feed is available to paid Shodan members, but free accounts can also search using a specific filter.
The IoT market is continuing to expand. It’s estimated that by 2020, more than 34 billion internet-connected devices will be installed globally – more than four devices for every human on earth. Despite the rising popularity, the state of IoT security appears to be getting worse, not better. This is partly due to manufacturers implementing poor security and privacy features into their products to increase profit margins, and partly because of consumers not understanding the dangers of a vulnerable IoT device.
"The consumers are saying 'we're not supposed to know anything about this stuff [cybersecurity]," Tentler said. "The vendors don't want to lift a finger to help users because it costs them money."