Spying on strangers through their own webcams is now easier than ever.
Shodan — a company that describes itself as a search engine for Internet-connected devices — launched a tool last year that lets users access publicly available webcams all over the world. Recently, the company added freeze-framed images from those webcams, making browsing through people's public and private lives as easy as clicking through a Netflix catalog.
An American toddler in daycare? Check. Sleeping couch potato in Hong Kong? You got it. Or perhaps you're into a specific street corner in Guangzhou China? Plus who knows what else. Full access to over 1,000 webcams — pointed at public and private spaces around the world — requires a one-time membership fee of $49.
Of course, tech-savvy spies have always been able to tap into unsecured webcams or hack into poorly protected devices, but the new feature on Shodan makes it easier than ever for anyone to browse a library of webcams that have not been password protected.
"Shodan has started to grab screenshots for various services where the existing text information didn't provide much information," founder John Matherly wrote in an email. "This was launched in August 2015 and the various sources for screenshots have expanded since then — one of those recent additions is for webcams."
Matherly calls Shodan the first search engine for the Internet of Things, pulling in data from anything connected to the Web. The site has been used for, among other things, studying the popularity of HBO Go on Roku and producing a global map of industrial control systems, Matherly said. Shodan's home page touts the service as "the search engine for power plants, refrigerators and webcams," among other things.
Matherly was quick to point out that the company is not specifically focused on webcams. "Shodan wants to provide a complete view of the Internet which includes control systems, printers, servers, databases, tea kettles and of course webcams," he wrote.
Still, the three most popular searches listed on its website are 'Webcam,' 'Cams' and 'Netcam.'
The site's capability is fascinating — and potentially disturbing. But, creepiness aside, are there actual risks associated with, say, someone in a remote location tuning in to a baby monitor?
"When you think about the real-world risks, you have to reach pretty far to find something that would be genuinely bad," said Anton Chuvakin, security and risk management researcher at Gartner. He noted that while it may be possible to find the neighborhood in which a webcam is located, it is very unlikely that the Internet Protocol address could reveal an actual house.
"Basic geographic information is available for almost all devices on Shodan, including webcams," wrote Matherly. "Note that the granularity of the physical location is extremely rough: it can tell you in which city/country it is located but it isn't possible to pinpoint the exact physical location."
However, each webcam screenshot is paired with a map, and in rural areas where there are fewer houses, it doesn't seem like it would be hard to find an actual location.
Of course, hackers don't need Shodan to access unprotected webcams, or hack into poorly protected devices. But when It comes cyberstalkers using information gathered this way for malicious purposes, such as extorting victims for money, Chuvakin believes such schemes are of extremely limited use.
"You have to — presumably — hack into a lot of PCs and figure out where there are naked people. It's a project, and there are so many better ways to make money if you're a cybercriminal." he said.
As always, the solution to protecting your webcam from being viewed by unwelcome eyes is password protection of your devices — in this case your router. "People never change their router's wireless password — it's a rarity," said Trend Micro chief cybersecurity officer Tom Kellermann. "Change that, because that's the gate-keeper to everything that connects to your home network."
Chuvakin agreed: "Don't use standard passwords that come with the router."
Right now, nothing is forcing device makers to improve built-in security, which ought to change, said experts. For example, the FTC could mandate that webcam makers ship cameras that require users to set their own login credentials, rather than allowing default usernames and passwords to be applied.
"Can the regulator make the good thing easier and the wrong — risky thing — harder? If yes, then sure, that's good regulation," said Chuvakin.
"When it comes to IoT, the FTC needs to get involved immediately," said Kellermann. "To protect the physical privacy of consumers, because these devices can be used to violate the physical privacy of consumers, there needs to be greater assurances on the software, easier update functionalities and greater security provided."
The FTC did not respond to request for comment. The agency did issue a report on Wednesday calling on companies to adopt best practices to address consumer privacy and security risks.
"The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers," said FTC Chairwoman Edith Ramirez. "We believe that by adopting the best practices we've laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized."