In one week some years ago I was training a bunch of apprentices in London. The five-day course was OSINT and of course it covered a module on Shodan plus a lot more. On the first day or two of the course, an enthusiastic boy called me on over to look at what he had found. When I was under 20 like him, I wouldn’t think too much about the dangers of looking into organised crime.
Swiftly I went over and laughed. By chance, without wanting to he found a cannabis farm on Insecam.org. This website has numerous categories including: bars, bridges, car parks, factories, hairdressers and farms where this “business” was listed some years back. Under the farm category typically you see cattle and on this occasion, it was an illicit type of farm.
Being this is related to organised crime I shall be more cagey than normal with details. The cameras (4x) were all located in one well known city and there seemed to be two rooms. In my view the setup was professional and costly – not that I know anything about running such operations! Some digging was done legally into the device and ISP in question, and then later on in the day a “gardener” male came in to check on his crops. Yes, we saw a man on camera who appeared to be from Europe.
That is enough info. If I gave any more you could work out the camera brand, city and ISP. Just as I was publishing this, I decided it was best not to publish a picture of the man caught on camera - even pixelated.
How should you secure home internet connected CCTV?
- Change default username
- Change default password
- Disable default accounts
- Enforce 2FA
- Enable brute force detection/blocking
- Only allow connections once on a VPN to your home
- If you don’t need access outside your house, disable external ports
- Patch it
- Secure your home Wi-Fi
- Connect the camera over cable instead of Wi-Fi
- Disable what you don’t need
- Separate the camera system from your personal devices
- Disable UPnP
- Only buy tested or certified cameras, like: https://www.av-test.org/en/internet-of-things/ip-cameras/
- Enable transit encryption (TLS) and ideally with an externally signed certificate
- Change the default port (only increases security a little)
- Use the inbuilt firewall or a separate firewall