Original Story Published on TheVerge.com: Somebody's watching: how a simple exploit lets strangers tap into private security cameras
Last week, a blog called Console Cowboys exposed a security vulnerability in some models of Trendnet home security cameras. Following the instructions on the site, thousands of streaming personal IP cameras can be accessed. Links to the compromised feeds spread quickly on message boards like Reddit and 4chan, where the adolescent quest for the surreptitiously-viewed nipple kicked into high gear.
Of course, nudity was found: a woman taking off her pajamas in her bedroom, a young mother standing next to a baby crib at night. Screenshots were made and posted to 4chan for teenage boys to ogle. These cameras were purchased by people who believed they would be making their home or workplace more secure. Instead, they became victims of an intimate and personal invasion of privacy. The security breach isn't leaking customer data like credit card numbers, or even sensitive corporate secrets as described in a recent New York Times article about security flaws in videoconferencing systems.
It’s worse. It’s strangers watching you undress in your own home.
Each camera feed may have been viewed by hundreds or thousands of people
While many IP cameras have open feeds that are semi-public and don’t require passwords, a close look at the Trendnet firmware revealed code that can be appended to the IP address of the camera, creating a URL of the camera’s feed that bypasses password authentication. The author of the Console Cowboys post, Someluser, was surprised it even worked:
I can't really believe this is something that is intended by the manufacturer. Lets see who is out there
Other available cameras were found by searching shodanhq.com, a semi-shady site that catalogs open devices. Some of the more interesting camera feeds included a laundromat in Los Angeles, a bar and grill in Virginia, living rooms in Korea and Hong Kong, offices in Moscow, a Newark man watching the football game in a Giants jersey, and the inside of a turtle cage.
Console Cowboys posted its instructions on accessing the cameras on January 10, and over the next two days a list of links to over 1,000 camera feeds appeared on Pastebin, a free text storage site popular among programmers and 4channers for storing and sharing snippets of code, Occupy movement screeds, the anti-Scientology manifestos of Anonymous, and the assorted Dane Cook joke. In an email, Someluser said that he was not responsible for creating the long list of links or posting them to other sites. "I would imagine these lists were created by readers and other individuals who have since created script enhancements on the original findings and code....It is hard to say how it ended up on 4chan, it is not a site I frequent."
The Pastebin link list appeared on Reddit’s security forum within a day, and on 4chan’s /b/ board sometime that week. Currently, the list has had over 87,000 hits. Each camera feed may have been viewed by hundreds or thousands of people.
On Reddit, the comments express concern over the unethical nature of this type of voyeurism: "this is no different than posting private information about individuals. Should be removed." On another message board, a user wrote, "the first one I tried showed a child's playpen, lake [sic] a nanny cam or something. I immediately shut the window and regreting with this, I thought it would be parking lots and skyscrapers and, not residential cameras."
I first discovered the leaked camera feeds on 4chan on January 21, but it was clear that users had already known about them for some time. The thread had started out as a troll — someone posted a screenshot of his browser displaying one of the cameras, with his other browser tabs conspicuously open to sites 4channers would find distasteful (Reddit, a My Little Pony fan blog, icanhazcheeseburger). The post was meant to goad people into insulting him for his poor taste, but the thread quickly changed as commenters remembered how fun it was to watch those feeds that they had discovered the week before. Apart from the nudity, the camera that garnered the most 4chan rage showed an empty living room that featured a large Christmas tree: users decried how lazy this family must be to still have the tree up a month after the holiday.
