What is wrong with the security of the Internet of Things: How Shodan became a “search engine for sleeping children”

The famous search service Shodan recently launched a section that allows users to view images from vulnerable webcams connected to the Internet. In a short time, hemp plantations, backyards of banks, children's bedrooms, kitchens, living rooms, swimming pools, schools and colleges, laboratories, shops have already fallen into the frame.

Shodan is looking for network-connected devices with open ports. If you can connect to the port without a password and it broadcasts the video, the robot takes a screenshot and moves on. In addition to questions about the legality of such actions by the administration Shodan, a new section of the project emphasizes the current level of security of the Internet of Things.
')
Information security researcher Dan Tentler said in a conversation with the Ars Technica publication that with the help of Shodan you can now see "everything you can think of."



The cameras are vulnerable because they use Real Time Streaming Protocol (RTSP) to transmit video without proper authentication. As a result, the image from these devices is available to anyone who connects to them.

According to Tentler, the number of such unprotected webcams is currently estimated at millions.



According to the information security expert, such a serious situation with the security of the devices was the result of the current market situation. At the moment, users do not realize the importance of protecting the devices they buy and, accordingly, are not willing to pay extra money for it. In turn, manufacturers are not interested in increasing user awareness of the possible consequences of this approach - this will entail additional costs for them.

The safety of Internet of Things devices in 2015 was repeatedly the focus of attention - researchers published information that video monitors of popular manufacturers contain serious vulnerabilities that allow attackers to gain control over them and talk to children or watch live video.

In addition, it was widely discussed that many wearable webcams worn by American police were infected with the Win32 / Conficker.B! Inf Trojan, which in 2008 infected more than 15 million Windows computers around the world. In addition, as early as 2013, Positive Technologies experts found vulnerabilities in Samsung DVR video surveillance software - the errors allowed attackers to gain access to the internal pages of the video surveillance system management interface, view the data of user accounts of the system and gain complete control over it

Positive Technologies experts recommend users to remember that the security mechanisms of most modern Internet of Things devices are far from ideal. Therefore, it is necessary to carefully connect them to the network, since it is very likely that outsiders will be able to access the information transmitted and processed by them.