This story appeared on Network World Fusion at
By Scott Bradner
Network World, 01/17/05
One of the problems with IP-based cameras is that unknown people can access them to see what the cameras are pointing to. It would seem to be a no-brainer to try to prevent this, but many people who install IP cameras don't take any such measures, and some vendors make it easy for unprotected cameras to be found.
After some major news coverage of surreptitiously taken videos of nannies beating up children in their care, lots of parents began installing concealed cameras in their homes. Many of these cameras were IP-based and wound up being connected to home networks that were, in turn, connected to the Internet through DSL or cable modems. This was ideal for the people who installed them because they could peek in from the office. There was a bit of a potential privacy problem: Because the nannies tended to work in places where the homeowners also frequented, unless the homeowners took care to remember the camera was there, potentially embarrassing images could be on the 'Net for the taking.
Shortly thereafter, corporate network security people and others who were putting up security cameras figured out that they could save a lot on installation cost if they also used IP-based camera systems.
Many of these home or business IP-based cameras ran mini Web servers so the user could employ a standard browser to look, but most of the systems had no or minimal security. Many people did not even take advantage of whatever security the cameras did have. I guess they didn't think about the issue or assumed that because they would not be telling the world the IP address of the camera no one would find it.
In another example of security through obscurity not actually being security, it turns out that some of the manufacturers have made it easy for the IP addresses to be found. The manufacturers used consistent character strings in the URLs that the users employed to access the cameras. And it turns out that Google (the universal research tool these days) has a feature in its search command to look for URLs that include a particular string.
For example, the command "inurl:view/index.shtml" will look for the string "view/index.shtml" in all URLs. This happens to be a string that one of the camera manufacturers uses in its systems. Google finds almost a thousand URLs with this string - almost all of them are Axis IP-based cameras. Other strings to look for include "ViewerFrame?Mode=" and "MultiCameraFrame?Mode=." Together they produce more than 2,000 additional hits.
I did a random look at the URLs the searches came up with and looked at a snowstorm in Lapland, Finland; an empty auditorium in Mexico; the center of East Ayrshire, England; the interiors of a number of restaurants and stores; a construction site in Hungary; ice and snow on Lake Lucille, Ala.; a bunch of car garages; furniture showrooms; a number of computer centers; a Japanese radio talk show; lots of parking lots; and scads of traffic and weather cams. Some of the cameras could even be controlled over the Web. By the way, there seems to be a lot of snow in Japan right now.
Some URLs did not respond and some sites did request a logon and password, but thousands of cameras are there for the viewing. I didn't find anything risqu but I only looked at a few sites.
I hope that any of you who put in IP-based cameras and want them to be private do not assume that no one will find them on the 'Net. I also hope that the manufacturers will fix their code to make the cameras not so easy to find.
Disclaimer: Google makes Harvard easy to find with 33.7 million hits, not all of them about the university. But the opinion on open cameras is mine, not Harvard's.