40,000 cameras expose feeds to datacenters, health clinics • The Register

Security researchers managed to access the live feeds of 40,000 internet-connected cameras worldwide and they may have only scratched the surface of what’s possible.

Supporting the bulletin issued by the Department of Homeland Security (DHS) earlier this year, which warned of exposed cameras potentially being used in Chinese espionage campaigns, the team at Bitsight was able to tap into feeds of sensitive locations.

The US was the most affected region, with around 14,000 of the total feeds streaming from the country, allowing access to the inside of datacenters, healthcare facilities, factories, and more.

Bitsight said these feeds could potentially be used for espionage, mapping blind spots, and gleaning trade secrets, among other things.

Aside from the potential national security implications, cameras were also accessed in hotels, gyms, construction sites, retail premises, and residential areas, which the researchers said could prove useful for petty criminals.

Monitoring the typical patterns of activity in retail stores, for example, could inform robberies, while monitoring residences could be used for similar purposes, especially considering the privacy implications.

“It should be obvious to everyone that leaving a camera exposed on the internet is a bad idea, and yet thousands of them are still accessible,” said Bitsight in a report.

“Some don’t even require sophisticated hacking techniques or special tools to access their live footage in unintended ways. In many cases, all it takes is opening a web browser and navigating to the exposed camera’s interface.”

Bitsight looked at two types of internet-connected cameras relying on HTTP and RTSP technologies, which are typically used in consumer and commercial contexts respectively.

While the researchers said all it takes to fingerprint these cameras is a browser and a uniform resource identifier (URI), finding them isn’t quite as simple, but far from impossible for a motivated individual or group.

For HTTP-based cameras, Bitsight said most camera manufacturers implement an API that returns a single frame from a live feed, at the time the request was made, provided the correct URI and parameters are used.

It would take some study of each manufacturer’s technical documentation, but the live frames could be captured when systematically testing the URIs until an image is returned.

“This is essentially how we detected exposed HTTP-based cameras from various manufacturers: first identifying the likely manufacturer, then determining which specific URIs to test against that brand and model until we found the one that provided the screenshot we were looking for,” Bitsight said.

RTSP cameras are designed for low-latency continuous streaming, which is why they’re more common in commercial scenarios such as surveillance systems.

Fingerprinting these was more difficult than HTTP-based cameras, a process carried out using identifiers such as HTML favicon hashes, headers, and titles, because these types of hints aren’t as abundant.

“The only useful piece of information we can check is the RTSP server header,” it said, but RTSP endpoints typically do not reveal information about said header. As a result, the number of affected camera vendors identified by the researchers was limited.

HTTP-based cameras accounted for 78.5 percent of the total 40,000 sample, while RTSP feeds were comparatively less open, accounting for only 21.5 percent.

Altogether, the camera findings exposed feeds from highly sensitive locations such as hospitals, factories, datacenters, and more, which as the DHS warned in February could be exploited by spies and criminals.

The non-public DHS security bulletin, reported by ABC News earlier this year, reportedly zeroed in on cameras that typically lack encryption and security controls enabled by default.

The bulletin also focused on Chinese-made cameras, of which the department expects tens of thousands to be operating in critical infrastructure organizations across the US, with special concern surrounding the energy and chemical sectors.

Chinese spies have previously accessed these camera feeds, and the DHS reportedly warned that they are likely to do so again.

“A cyber actor could leverage cameras placed on IT networks for initial access and pivot to other devices to exfiltrate sensitive process data that an actor could use for attack planning or disrupting business systems,” the bulletin said, according to the broadcaster.

“A cyber actor could use cameras placed on safety systems to suppress alarms, trigger false alarms, or pivot to disable fail-safe mechanisms.”

In addition to state-sponsored threats, Bitsight said the cybercriminal underground is teeming with interested parties seeking similar access, albeit likely for different ends.

Scouring marketplaces and forums, they found signs of individuals sharing IP addresses with descriptions of the feeds, such as bedrooms, workshops, and more.

The researchers said these kinds of communities are filled with individuals who may be looking to stalk or attempt to extort individuals with footage taken from inside their private residences. ®