Terrifying IoT Search Engine Lets You Spy On Strangers' Webcams

Vocativ | By Jennings Brown and Adi Cohen on Jan 25, 2016 at 3:27 PM

PSA: Create strong passwords (Not actual footage from a web cam) (Getty Images)

Think of the millions of devices with video feeds—maybe the baby monitor perched over your kid’s crib or a security camera looking out over your back porch. A new feature on the most popular search engine for the Internet of Things just made it a lot easier to find such feeds. And it’s even creepier than you can imagine.

Shodan is a website that scans the internet for publicly accessible devices and captures their IP addresses—creating a searchable index that includes everything from in-home surveillance cameras to traffic lights to fetal heart monitors to power switches for hospitals. Essentially any of the so-called Internet of Things that doesn’t have a password is up for grabs, and that’s more devices than you’d think.

Programmer John Matherly developed the site in 2009 when he was a teenager, and he originally thought his pet project would help large tech companies see who was using their devices. But now the site is mostly used by hackers and researchers. Until recently, Shodan was used almost exclusively within the cybersecurity community, because searches require a general understanding of technical language. But a new feature has made it easier for anyone to peek people’s home surveillance devices. The new channel includes screen grabs of security camera feeds along with their location.

As Ars Technica reports, these webcams show feeds from sensitive locations like schools, banks, marijuana plantations, labs and babies’ rooms. Shodan members who pay the $49 monthly fee can search the full feed at images.shodan.io. A Vocativ search of some of the most recently added images shows offices, school, porches and the interior of people’s homes. Accompanying each of these grabs is a pinned map that shows the location of the device capturing that footage.

The site also offers free memberships that allow anyone to search through thousands of webcams. Most of these devices require a password to view the feed (Shodan users have written a few articles about the most-used passwords so that others can easily hack feeds), but unfortunately many people don’t set up password authentication on their devices. Such cameras are easily accessed through Shodan, and many of them can even be controlled by Shodan users.

Moments after setting up a free account, we were able to access and maneuver several security cameras, moving them from left to right and up to down within homes, businesses and a room holding adorable Pomeranian puppies. Shodan also provided the general location where each of these live feeds were coming from, which means it would not be difficult to track down those puppies and figure out when their owner is away.

So, if you value your puppies or personal privacy, set up a password on all your connected devices.