One of the biggest banes of Internet security are the dreaded default user accounts being left in place once a system is connected to the Internet. Device search engines such as the Shodan allow for security researchers and hackers alike to search for devices publishing specific information in a process called banner grabbing. The Shodan allows a user to search for all devices associated with a scanned IP address, and interrogate those services to determine what that system is doing online.

Unfortunately for a school in Blackpool, Great Britain this also included their IP cameras installed within their campus.

With all likelihood this was achieved through a person interrogating the Shodan and then locating the open ports assocated with IP cameras. From there a user would only need to research the default user accounts associated with that device through open source intelligence (ie. Google) and then attempt to login using those credentials.

A hole like this may not only affect the camera device itself, but a particularly skilled attacker could tamper a firmware package allowing the attacker to pivot through to the network into other devices as they go. Whilst this is a particularly difficult thing to do, depending on the value of what they are seeking to compromise it may be a cost a hacker could be prepared to burden.

The Shodan reports there are a total of 11,720 devices located within the Blackpool area, many of which are not requiring authorisation to connect to published services. Of these devices, many are advertising as cameras or webcameras. All of which may be interrogated, or being preconfigured with default user accounts.

Recommendation: Remove default user accounts, and adopt complex password policies (e.g. 13 character minimums with 3 special characters and no dictionary words). And conduct regular network perimeter tests to determine what is being exposed publicly, and decide whether what is being exposed should remain exposed.

Source: School CCTV Streams End Up on US Website