Hugging the Web (Part 2: Surveillance Takeover)

Welcome back, curious hackers! In today's tutorial, we will be diving deep into the manipulation of Google Operators, commonly referred to as "Google Dorks" in order to access Surveillance Cameras and other control panels.

"Why would I do that?" One might ask. Good question might I also add.

This tutorial is not intended as a manual for chaos but rather a reminder to secure your servers at home. A lot of attacks that I will show you today are simply because a large percentage of users don't put passwords on their cameras and leave them on the web, assuming that nobody will care to search for their camera on the web.

At this moment, there are an estimated thirty million surveillance cameras in the United States alone. The internet has granted any user the ability to search for specific servers on the web, with the most used search engine ever, Google. One could imagine what would happen when combining these two facts together, and that's why today, I bring you, Surveillance Takeover.

Google Operators Explained

Before we can use Google Operators, more correctly Google Search Operators, we need to know what exactly they are. To answer this question simply, they are ways to limit search results to be more specific in the Google search engine.

To use one of these magical functions, you have to type a certain symbol in the google search bar. I will explain briefly what a few symbols do in the list below, but be sure to check out the official page here.

inurl:(keyword)

This operator will make sure that the given key word is also listed in the url. For instance, inurl:onetwothree will show us results with only "onetwothree" in the domain's url.

intitle:(keyword)

The intitle operator will limit searches to only contain the given keyword in the title of the page or website. For instance, intitle:applesauce will bring up results with applesauce in the title.

These are the two main Google Search Operators we will be using today, but make sure you check out the official page as well. There is a lot of stuff you will need to know for the future on that page.

Exploiting the Operator

Now that we have a good idea of what a Google Operator is, how can we manipulate it? Well, when we search for specific results that include model name's of common Surveillance Cameras, and common keywords that are found in open security camera web pages, we get plenty of snooped upon, password free, insecure, creepiness.

In today's example, we will be finding insecure Axis 2400 video servers. These suckers are all over the web.

Let's hug it!

Firstly you will need to open a new tab and make sure you are in Google's search page. Once there, type in your search engine:

intitle:Axis 2400 video server

Be warned, anything you click on from here, I am not responsible for.
This is for demonstration purposes only.

Immediately I found that there were over 11,000 results given to me from google. The ones that are insecure usually look like an ip address. This is normal.

As you can see, upon clicking on one of these links I am immediately greeted with a private residence.

A couple more clicks here and there show me some other interesting cameras.

These aren't the only Google searches that bring up scary results. In fact, here is a list that I found from multiple online sources, that bring up just these kinds of results. You can find that in this pastebin page.

Conclusion

Hopefully you enjoyed reading today's tutorial as much as I enjoyed writing it. Moral of the story? Buy secure devices and make sure that you configure them properly.

If you have any questions or concerns, feel free to leave them in the comments of this post.

Have fun, be safe, hack the world!
-Cameron Glass