Eyes Wide Shut
For three years, an unsecure camera in Cincinnati’s Indian Hill High School broadcast the comings and goings of students to the world through the Internet.
On some days the video captured young girls wearing short gym shorts and T-shirts. The girls sat or played with classmates, stretching their legs and never knowing their every movement was broadcast to anyone with an Internet connection -- including potential predators.
The live video stream was a direct feed from the school district’s security camera network, but administrators confirm it was never intended to go public. Yet, Scripps News found the video live for anyone to access with a computer or even a mobile phone without any prompting for a password or permission.
“We thought every single one of those cameras was password protected,” Dr. Mark Miles, superintendent of Indian Hill School District, said. “It was an open door. As a parent myself, I would have a concern with that.”
Within minutes of learning of its existence from Scripps News, Miles ordered the video feed closed down.
A Scripps News investigation has discovered the Indian Hill School District is among an alarming number of consumers, businesses and other entities nationwide that unknowingly leave back doors wide open to their online video feeds and computer networks. The open ports have become increasingly easy for the general public to discover with the advent of a search engine called Shodan, which calls itself “the world’s first search engine for Internet-connected devices.”
“It's brainless. Now anybody with a browser can go to this Website and search for a variety of stuff all over the world,” said Dan Tentler, a security researcher for Carbon Dynamics. He is hired by private companies to discover and fix vulnerabilities online. “You don’t need training, you don’t need experience. All you need is 60 seconds of time.”
While hackers regularly turn to the search engine, most vulnerable companies and consumers remain completely in the dark about their risks, he said. Three out of four Internet-connected cameras he studied were unprotected, meaning he found “somewhere in the neighborhood of 700,000” that were unsecure.
Tentler says far too many people have hooked up devices to the Internet so that they can have remote access and increase convenience, but haven’t taken basic security precautions. Many mistakenly believe that because they do not post their devices on a public Web page, no one will discover them. Others turn off security settings called firewalls to enable remote access. In fact, the moment a device is live online it receives an Internet address called an “i.p. address” that Shodan can discover -- whether or not the device is live on a separate Internet page that Google might find.
Another common mistake takes place when users never update manufacturer default passwords, which are largely available in online forums.
Earlier this year, the Federal Trade Commission weighed in, warning businesses and consumers of the growing dangers online that come from an estimated 25 billion connected items.
“Given the number of devices that are out there, there's large risk,” FTC attorney Kristen Anderson said.
The agency filed a first-of-its-kind complaint in 2013 against one company, Trendnet, alleging it sold Web cameras that remained unprotected from public access even after security settings were enabled. Trendnet settled the case and remains bound by an order to inform consumers how to fix the problem. The FTC, which has gathered experts from government and private industry to address what it sees as a serious problem, recently held a workshop where it was revealed that the threats from poor security extend well beyond privacy.
“One of our panelists demonstrated how he was able to hack into his own insulin pump,” Anderson said, noting how the panelist could change the settings on the insulin pumps so they no longer delivered medicine.
“If you hacked into a connected pacemaker, defibrillator and issued a shock you could stop someone's heart,” Anderson said.
Scripps News conducted its own survey of the Internet, and quickly discovered nine unprotected cameras at the Harlan County Jail in Kentucky that captured female inmates sleeping and revealed much of the jail’s layout.
Chief Deputy Derrick Moore, who works at the jail, said the cameras were never meant to be publicly accessible. He blamed the failure on a vendor the jail hired in February to install a new video communications system.
Scripps also found five unprotected video streams from cameras at the University of Kentucky. University officials who looked into the matter said the security breach took place after employees attempted to gain remote access for their own use, not the public’s. “The cameras were purposely configured the way they were to enable support staff to remotely assess these rooms’ other AV equipment functionality,” University spokesperson Kathy Johnson said, noting the University has since closed the public feeds down.
Security researcher Tentler says many manufacturers of digitally connected products operate with little to no regard for the security of the devices they sell. He noted, for example, that he personally discovered vulnerabilities with one manufacturer’s large electronic billboards which can display eye-catching advertisements in heavily trafficked areas. He said he repeatedly reached out to the manufacturer trying to warn of the vulnerability but says, “They politely told me to go away.” Last Wednesday, the potential threat became real when a giant billboard in the trendy Buckhead neighborhood of Atlanta was hacked, replacing its normal advertisement with an offensive pornographic picture peering down on a busy intersection.
The FBI has confirmed it is now investigating the incident, which does not appear isolated.
“The FBI is in discussions with the Atlanta Police Department on the matter in an effort to better determine the scope of what appears to be a hacking into these digital billboards,” said special agent Stephen Emmett of the FBI’s Atlanta field office. “The FBI, in its initial assessment, is also trying to better determine all of the servers involved and their locations.”
A group calling itself the “Assange Shuffle Collective” took credit for the billboard hack in the online forum Reddit. The group appears to affiliate itself with Julian Assange, the founder of WikiLeaks, which published a trove of sensitive U.S. military and diplomatic documents in 2010.
In claiming responsibility for the recent incident, the group publicly bragged it was not concerned about being caught by law enforcement, noting that it operated from behind multiple online shields. Security researcher Tentler says he has personally discovered hundreds of other billboards he believes could be vulnerable to much less sophisticated hackers, including many that sit near busy highways where distractions could turn deadly.
“Google and Shodan are just tools,” he said. “They’re like a kitchen knife. If you would like to use a kitchen knife to be an award-winning chef that’s entirely in your power. If you want to use your kitchen knife to go and carve up your neighbors, that’s also in your power.”
If you have a tip or an update, email firstname.lastname@example.org.