To Watch or to Be Watched? Turning Your Surveillance Camera Against You presented at phdays 2013

by Sergey Shekyan, Artem Harutyunyan,

Summary : Low cost commodity IP surveillance cameras are becoming increasingly popular among households and small businesses. As of January 2013 Shodan ( shows close to 100000 cameras active all over the world. Despite the fact that there are many models by different vendors, most of them are actually based on the similar hardware and firmware setup. Moreover, there are even other devices (such as Internet TV boxes) that use the similar firmware.
Interestingly enough those cameras have little or no emphasis on security. In particular, the web based administration interfaces can be considered as a textbook example of an insecure web application. This easily leads to an exposure of not only sensitive personal information (such as wireless network, FTP, and even email access credentials), but also provides an eye to an inside of your house. Last but not least it can be used to alter the video stream with an external stream or a still picture. Sergey Shekyan is a Senior Software Engineer for Qualys, where he is focused on development of the company’s on demand web application vulnerability scanning service.
As a side interest, Sergey enjoys researching Application Layer DoS attacks and trying to fix Web browsers. Sergey holds both Masters and BS Degrees in Computer Engineering from the State Engineering University of Armenia. Sergey presented at BlackHat, H2HC, and other security conferences. Blog at
Redwood City, CA, USA
Artem Harutyunyan is a Software Architect for Qualys. His responsibilities include design and development of distributed computing systems for storing and analyzing large volumes of data.
Prior to joining Qualys Artem spent several years at CERN where he worked on the development of geographically distributed large-scale Grid computing systems. Artem holds a PhD from State Engineering University of Armenia.
