CSP-CERT® Resources:
Philippine Web Cam Expose!

by CSP-CERT® VAPT Team Manager - John Patrick Lita
posted July 2017



This article is not really new because this exist so many years but we decided to create this article for security awareness of the community. we started to look for web cam expose in public.


Doing this research can be fun because we can see and use these web cams with no sweat because they are accessible to public and you feel like you have the “GOD'S EYE” - that term is just for fun but yeah it's something like that :)


To search for vulnerable cameras, we used SHODAN which is one of the best search engine for searching vulnerable devices, services, routers and mis-configured servers and the like.


This article is intended for Philippines Threat Landscape Research only. First, we searched for cameras that uses default passwords, we succeeded on some and failed with others due of some sort of security controls in place like IP white-listing which is good. Then we started navigating to shodan’s web interface to search for default password web cams.





Now we have 1, 512 results from different regions in the Philippines. if we notice the HTTP headers on the right side it says (200 OK) it means the web cam login page is accessible with the use of web browser. some of them doesn’t have authentications but most of them have.







in results we can view or manipulate the position of the camera if we want.







WHAT ARE THE RISKS?



This web cam is using default credentials and some of them has no authentication to view the cameras.


BOTNET - a device or network of private computers infected with malicious software and controlled as a group without the owners' knowledge. Example Denial of Service Attack


Cyber Espionage - the use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.


and the others can use to conduct crime where this criminal and change the angle of the camera to hide their asses.


THE QUESTIONS:

  1. How the Philippines can address this kind of incident and prevent this risk?

  2. How the Philippines Government Regulates this vendors selling products without educating the customers?

  3. How the Filipino consumers secure their cameras?

  4. Who is liable when these cameras are exposed and not intended to be publicly available?

  5. Business or Security? Which comes first?


We know that implementing security in a product can affect its reliability of the customers experience, but once the customers understand the benefits of the security the customer can use the device and service more confident without worrying their data is being expose in public.


Note: This article is intended for educational purpose only, the tool we use in this article is publicly available to everyone. any actions and other activities related to the materials contained within this article is your solely your responsibility.


The Author of this article is not held any responsible in the event any criminal charges are brought against individual misusing the information in this article to break the Philippine Constitution


This Article is intended to develop Threat Landscape in Philippine Cyberspace.