For so many people including myself finding things to do during covid lockdown during last year’s (2020) lockdown and till now, I’ve found myself wandering down the rabbit hole on the internet more often.
A few years ago I signed up to a website called Shodan which is not unknown, but I stumbled upon it. fascinated with how it works and the information it holds, I started using the filters and would just search for places around my area spending hours clicking on IP addresses and seeing what came up recently I stumbled upon at first what I thought were a few little security issues some with the odd company two of these really stood out to me and I have been pondering the ethics behind them as they could affect peoples lives more than me just clicking some buttons on a website.
looking further into the first one when I was asked by the installer to give it port forwarding on port 80 I asked why? they replied, “so the client can access the alarm remotely” after some discussion the conclusion was I didn’t know what I was talking about as quoted “How would this be found you would have to know the IP address” (I didn’t Forward the port) but looking up the product on shodan it started to show me a list of IP addresses with the product open on them. these were the model that has a module that allows app access using Universal Plug and Play (UPnP) which isn’t bad in itself easy way for devices to connect the alarm module is now connected to the internet to be remotely used which not uncommon and done correctly could be a great way to access your alarm however this was not and the HTTP webpage GUI graphical user interface up with it 6 digit pin code on front screen now at this point I’ve gone to a website which outside of the cyber world isn’t really known and looked up some details ok that’s bad but if you take the words off the front page and place them in google and it brings up every internet-accessible alarm made by this company in its index.
the second one was I used one of the recent filters on shodan one night which looked cameras I then added a filter for My country, it starts bringing up cameras that are streaming on the internet finding that these cameras are using UPnP to broadcast a Real-Time Streaming Protocol (RTSP) Stream openly which if you wanted to you could either link the stream to some kind of player or VLAN player could watch these cameras if you so choose and the owner would be none the wiser.
at this point is a threat to peoples safety and well-being comes in to play what happens if the wrong person finds an IP baby monitor streaming on the internet or the ability to turn off your alarm without you knowing because they can google it I mean can’t say I didn’t like a good game of hide and seek or spotlight as a kid but it wasn’t with the whole world I understand for me reporting this and informing the right people is at hand to hopefully fix some of these products because I found them but what about all of these people that have no idea this is happening to them, not just for privacy sake but the safety of these products should be up to the companies making IoT devices I don’t know maybe you have different Idea on this?