Hackers Can Spy on Your Sleeping Baby

Smart-home technology aims to make us all more connected, and our appliances more easily accessible, but for many people, these new gadgets accidentally reveal their private lives to prying eyes. That's what we can tell after using the Shodan search engine, which indexes all non-computer devices connected to the Internet, including unsecured webcams that some are using to keep tabs on their loved ones.

Credit: Tatyana Tomsickova/Shutterstock

(Image credit: Tatyana Tomsickova/Shutterstock)


If Shodan comes across an Internet-connected camera that isn't set up properly, a snapshot from the camera is pulled. If you have a $49 paid Shodan account, you get access to images.shodan.io, which aggregates all the feeds into a neat package, letting you too spy on strangers, or anyone whose IP address you know.

MORE: Best Baby Monitor - Night Vision Video and Monitoring

But you don't really need a paid Shodan account to see which cameras are currently leaking their content. Just create a free account with Shodan, then use the search query "port:554 has_screenshot:true."

You'll find a rather boring series of photos of parking lots, building entryways and living rooms. While there are no doubt thousands of parents who haven't reset the default passwords on the Internet-connected nanny cams used to monitor their kids, there is no way to filter down to just cameras that are trained on infants.

The children's bedroom we found in a Shodan search.

The children's bedroom we found in a Shodan search.

We found only one result that was clearly from a child's bedroom, identified as such because of a rather large stuffed Winnie the Pooh doll. There was no child in the snapshot, but Shodan provided us with the IP address (obscured in our photo) of the camera, as well as its geographical location, Internet service provider and what looked like an account name.

We tried refreshing the feed from that specific camera and were confronted with a login window, which is a good sign. However, if we had known the default username and password for that brand of camera, we might have been able to get in, assuming that the camera's user had not changed them.

This isn't the first time anyone on the Web has been able to peep on security cameras. Four years ago, a pseudonymous hacker named "someLuser" showed that it was very easy to snoop on TrendNet cameras using a regular Web browser, which led to TrendNet being fined by the Federal Trade Commission.

Owners of any smart-home devices should make sure they have changed the default account passwords, if such security options are available. If you want to check if your home has been exposed on Shodan, it's not difficult. Paste your IP address, which you can find at What's My IP Address?, to the end of the URL http://www.shodan.io/host/ and if any photos pop up, then you've not secured your cameras.

TOPICS
Henry T. Casey
Managing Editor (Entertainment, Streaming)

Henry is a managing editor at Tom’s Guide covering streaming media, laptops and all things Apple, reviewing devices and services for the past seven years. Prior to joining Tom's Guide, he reviewed software and hardware for TechRadar Pro, and interviewed artists for Patek Philippe International Magazine. He's also covered the wild world of professional wrestling for Cageside Seats, interviewing athletes and other industry veterans.