The following text is copyright 2005 by Network World, permission is hearby given for reproduction, as long as attribution is given and this notice is included.


Public nannycams


By Scott Bradner 


One of the problems with IP-based cameras is that unknown people can access them to see what they are pointing at.  It would seem to be a no-brainer to take measures to ensure that not happening but it turns out that many people who install IP cameras do not take any such measures and that some vendors make it easy for unprotected cameras to be found.


After some major news coverage showing surreptitiously taken videos of nannies beating up children in their care lots of parents began installing concealed cameras in their houses so that they could keep an eye on their nannies.  Many of these cameras were IP-based and would up being connected to home networks that were, in turn, connected to the Internet through DSL or cable modems.  This was ideal for the people who installed them because they could peek in from the office.  There was a bit of a potential privacy problem because the nannies tended to work in places that the homeowners also frequented and unless the homeowners took care to remember the camera was there potentially embarrassing images could be on the net for the taking.


Shortly thereafter the folk who were putting up security cameras figured out that they could save a lot of installation cost of they also used IP-based camera systems.


Many of these home or business IP-based cameras ran mini web servers so that the user could use a standard browser to look but most had no or minimal security.  Many people did not even take advantage of whatever security the cameras did have.  I guess that people did not think about the issue or assumed that because they would not be telling the world the IP address of the camera no one would find it. 


In another example of security through obscurity not actually being security, it turns out that some of the manufactures of these cameras have made it easy for the IP addresses of the cameras to be found.  The manufactures used consistent character strings in the manufactured URLs the users use to access the cameras.  And it turns out that Google (the universal research tool these days) has a feature in its search command that tells Google to search for URLs that include a particular string.  For example, the command inurl:"view/index.shtml" will look for the string "view/index.shtml" in all URLs.  This happens to be a string that one of the camera manufactures uses in their systems.  Google finds almost a thousand URLs with this string - almost all of them are AXIS IP-based cameras.  Other strings to look for include "ViewerFrame?Mode=" and "MultiCameraFrame?Mode=".  Together they produce more than two thousand additional hits.


I did a random look at the URLs the searches came up with and looked at a snowstorm in Lapland, an empty auditorium in Mexico, the center of East-Ayrshire (a town in England), the interiors of a number of restaurants and stores, a construction site in Hungry, ice and snow on Lake Lucille, a bunch of car garages, furniture showrooms, a number of computer centers, a Japanese radio talk show, lots of parking lots, and scads of traffic and weather cams.  Some of the cameras could even be controlled over the web.  By the way, there seems to be a lot of snow in Japan right now. 


Some URLs did not respond and some sites did ask for a logname and password but thousands of cameras are there for the viewing.  I did not find anything risque but I only looked at a few sites.   


I hope that any of you who put in IP-based cameras, and want them to be private, do not assume that no one will find them on the Net.  I also hope that the manufactures will fix their code to make the cameras not so easy to find.


disclaimer: Google finds Harvard easy to find (33.7 million hits), not all of them the university.  But the opinion on open cameras is mine, not Harvard's.