So i’m back to blogging, soon new website coming!
This is a post showing how easy it is to spy on anyone, through a loophole in a webcam vendors software.
Gaining access is simple, and what’s more simple is staying a ghost knowing they have no idea you are watching them.
Basically the way I approached this, was look at various webcam software vendors that allow remote access.
Then finding a vulnerability within authentication bypass of administrator you can gain access to an admin panel of the host allowing the open port.
The server omits special headers which you can use to find more vulnerable hosts.
Then selecting which country to choose from, you grab the list of hosts, and gain complete control of their cameras.
Here is what I found last night within around 10-15 minutes or so of looking:
This was a users home PC. There were two computers and I gained access to only one.
There is a couple, and they are completely unaware that I can see everything they’re doing.
This is a Phillipino Net Cafe witnessing life there, and seeing multiple users. But it’s just not fun enough, I need something more interesting, more spy worthy, more people to monitor.
So I kept searching for vulnerable hosts.
This is more like it, I can see more cameras through my camera.
“Spy on the people, spying on you.”
I tried to access a monitor with multiple cameras on, so I could get a better and faster view at the cameras.
So I found another host that had the same type of monitoring software:
I decided it still wasn’t enough, I wanted to have an outside view on things.
So I found some hosts in Russia that were vulnerable showing building sites and basic traffic stops.
Quite basic, and here’s a block of apartments in Russia:
The title here translates to:
Moscow – Camera 1
To protect from this:
If you do run webcam software on your computer system, I suggest you enforce strong passwords, disable administrator login and add a new user with admin rights.
Also maybe deny all hosts connecting to the WebUI apart from your trusted connections. You can also on most webcam software be emailed/notified when someone has logged in from an un-trusted source.
So always remember that people can watch you, all the time, whenever they wish, you can only reduce the risks.
And there’s not much you can do to really prevent it. The steps I’ve shown above, simply reduce the risk of it happening to you.
Someone else had a same idea on my topic, except they used Google Dorking to gather possibly vulnerable hosts, and didn’t use any administrator bypass, just blank passwords on Toshiba Web Camera software to gain access to users accounts:
That’s all for now ;-)