IoT security sucks so bad, there's a search engine just for Peeping Toms
The more things change, the more they stay the same, and the lack of security in new tech is no exception. For decades now, we've watched and shuddered as one tech after another came out with security holes big enough to fly a jet through.
Software and hardware are both so plagued, as the push to speed time to market consistently took priority over battening down the hatches and locking the doors. I suppose we shouldn't be surprised that security for IoT devices and software sucks so bad that there are now search engines for browsing webcams.
"The feed includes images of marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories and cash register cameras in retail stores, according to Dan Tentler, a security researcher who has spent several years investigating webcam security," reported J.M. Porup in a post at Ars Technica UK.
"It's all over the place," Tentler told Ars Technica UK. "Practically everything you can think of."
The name of the search engine for webcam image feeds is Shodan. Ars Technica reported there's both a premium account and a freemium account available to users, although the freebie search appears to be shut down now.
Insecure webcams are not a new problem and they have been widely exploited, even by governments. If you would like to see an example, check out this post in The Guardian on the U.K. government spying on people – yes, American users too! – through webcams.
Now imagine IoT devices everywhere – in sensitive places within companies too. And think about what that means when criminals need only to use search engines to grab that data rather than spend the effort to actually breach a data base.
"The bigger picture here is not just personal privacy, but the security of IoT devices," security researcher Scott Erven told Ars Technica UK. "As we expand that connectivity, when we get into systems that affect public safety and human life – medical devices, the automotive space, critical infrastructure – the consequences of failure are higher than something as shocking as a Shodan webcam peering into the baby's crib."
Vendors resist securing devices and their data because it costs them money. It's past time for users – be they individuals or companies – to insist on better built-in security and rigorously enforce that through their purchasing power.