linux-nerds.org

Your browser does not seem to support JavaScript. As a result, your viewing experience will be diminished, and you have been placed in read-only mode.

Please download a browser that supports JavaScript, or enable it if it's disabled (i.e. NoScript).

40K IoT cameras worldwide stream secrets to anyone with a browser.

Technology

18 Beiträge 13 Kommentatoren 166 Aufrufe

H hansolo@lemmy.today
10. Juni 2025, 14:47

Shodan.io is the searchable index of open IoT devices.

Change the default password, people!
D This user is from outside of this forum
D This user is from outside of this forum
dan@upvote.au

schrieb am 10. Juni 2025, 15:44 zuletzt editiert von dan@upvote.au 6. Okt. 2025, 17:48

#7

Hard-coded default passwords have been illegal in California since 2020, so it shouldn't be as much of an issue with newer devices. Companies aren't going to make California-specific versions of their devices, so they'll often just follow the California standards everywhere.

To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.

I still wouldn't ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.
H C 2 Antworten Letzte Antwort 10. Juni 2025, 16:15

12
P pro@programming.dev
10. Juni 2025, 14:02

This post did not contain any content.
E This user is from outside of this forum
E This user is from outside of this forum
emptiness@lemmy.world

schrieb am 10. Juni 2025, 15:48 zuletzt editiert von

#8

40K?

Praise the Omnissaiah!
1 Antwort Letzte Antwort

14
Z zarxrax@lemmy.world
10. Juni 2025, 14:34

It would be nice to know what brands or models are most vulnerable.
P This user is from outside of this forum
P This user is from outside of this forum
priapus@piefed.social

schrieb am 10. Juni 2025, 15:48 zuletzt editiert von priapus@piefed.social 6. Okt. 2025, 17:53

#9

What this is talking about is not really about the brand or model, its just about them being misconfigured. These cameras were exposed to the internet with either default credentials or no authentication.

Theres very few good reasons to expose a camera to the internet at all, just access it over a VPN. If for some reason someone really needs to access it over the internet (I genuinely cannot think of any), then they should put some proper authentication in front of it.
C 1 Antwort Letzte Antwort 10. Juni 2025, 20:21

7
D dan@upvote.au
10. Juni 2025, 15:44

Hard-coded default passwords have been illegal in California since 2020, so it shouldn't be as much of an issue with newer devices. Companies aren't going to make California-specific versions of their devices, so they'll often just follow the California standards everywhere.

To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.

I still wouldn't ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.
H This user is from outside of this forum
H This user is from outside of this forum
hansolo@lemmy.today

schrieb am 10. Juni 2025, 16:15 zuletzt editiert von

#10

Yes, but no one checks the legality of cheap Chinese devices from Amazon.
M D 2 Antworten Letzte Antwort 10. Juni 2025, 17:45

16
P pro@programming.dev
10. Juni 2025, 14:02

This post did not contain any content.
V This user is from outside of this forum
V This user is from outside of this forum
vane@lemmy.world

schrieb am 10. Juni 2025, 16:55 zuletzt editiert von

#11

Those cameras are there since 90s I remember watching them in ActiveX in real media player plugin in IE. Nothing changed.
1 Antwort Letzte Antwort

20
H hansolo@lemmy.today
10. Juni 2025, 16:15

Yes, but no one checks the legality of cheap Chinese devices from Amazon.
M This user is from outside of this forum
M This user is from outside of this forum
manifish_destiny@lemmy.world

schrieb am 10. Juni 2025, 17:45 zuletzt editiert von

#12

Also cheap cameras also tend to ship with a number of x-day vulnerabilities.
D 1 Antwort Letzte Antwort 10. Juni 2025, 20:13

3
P pro@programming.dev
10. Juni 2025, 14:02

This post did not contain any content.
E This user is from outside of this forum
E This user is from outside of this forum
ensign_crab@lemmy.world

schrieb am 10. Juni 2025, 18:03 zuletzt editiert von

#13

40k? Impressive resolution.
T 1 Antwort Letzte Antwort 11. Juni 2025, 03:10

20
D dan@upvote.au
10. Juni 2025, 15:44

Hard-coded default passwords have been illegal in California since 2020, so it shouldn't be as much of an issue with newer devices. Companies aren't going to make California-specific versions of their devices, so they'll often just follow the California standards everywhere.

To be legal in California, the device either needs to have a randomly-generated password unique to that device (can be listed on a sticker on the bottom of the device, or in the manual), or it needs to prompt to set a password the first time you use it.

I still wouldn't ever expose a camera directly to the internet. Keep it just on your LAN (eg using a VLAN) and VPN in (eg using Tailscale) to connect to it remotely.
C This user is from outside of this forum
C This user is from outside of this forum
creat@discuss.tchncs.de

schrieb am 10. Juni 2025, 18:29 zuletzt editiert von creat@discuss.tchncs.de 6. Okt. 2025, 20:30

#14

Can't remember when it came into effect, but randomized device specific passwords are also mandatory in the EU now. This was relatively recently though. It means every single device (item, not model type or class) has to have an individual password (also usually it's on a sticker or something).

And yes, connecting any ip camera to the Internet is just dumb.
1 Antwort Letzte Antwort

0
H hansolo@lemmy.today
10. Juni 2025, 16:15

Yes, but no one checks the legality of cheap Chinese devices from Amazon.
D This user is from outside of this forum
D This user is from outside of this forum
dan@upvote.au

schrieb am 10. Juni 2025, 20:07 zuletzt editiert von dan@upvote.au 6. Okt. 2025, 22:08

#15

The good Chinese brands, if they do have a hard-coded password, usually make you change it on first login. I'm pretty sure newer Hikvision and Dahua models do this (plus their resellers/rebrands like Amcrest, Lorex, Annke, etc). You need to pay more than the garbage brands, but they're worth it.

Of course, there's all sorts of junk on Amazon that don't follow any sort of standards.
1 Antwort Letzte Antwort

1
M manifish_destiny@lemmy.world
10. Juni 2025, 17:45

Also cheap cameras also tend to ship with a number of x-day vulnerabilities.
D This user is from outside of this forum
D This user is from outside of this forum
dan@upvote.au

schrieb am 10. Juni 2025, 20:13 zuletzt editiert von

#16

It's usually fine if you stick to a good well-known brand, but there's some cheaper cameras that are bootleg clones of other brands, that can't run the latest upstream firmware so they're stuck on a hacked/modified version of older firmware.
1 Antwort Letzte Antwort

1
P priapus@piefed.social
10. Juni 2025, 15:48

What this is talking about is not really about the brand or model, its just about them being misconfigured. These cameras were exposed to the internet with either default credentials or no authentication.

Theres very few good reasons to expose a camera to the internet at all, just access it over a VPN. If for some reason someone really needs to access it over the internet (I genuinely cannot think of any), then they should put some proper authentication in front of it.
C This user is from outside of this forum
C This user is from outside of this forum
cmnybo@discuss.tchncs.de

schrieb am 10. Juni 2025, 20:21 zuletzt editiert von

#17

An IP camera may stay in use for a decade or more without any firmware updates. You shouldn't trust any sort of authentication that's built into the camera to be secure. Keep them on an isolated LAN and only allow access from the server that's running the DVR software.
1 Antwort Letzte Antwort

1
E ensign_crab@lemmy.world
10. Juni 2025, 18:03

40k? Impressive resolution.
T This user is from outside of this forum
T This user is from outside of this forum
tangent5280@lemmy.world

schrieb am 11. Juni 2025, 03:10 zuletzt editiert von

#18

For the Emperor!
1 Antwort Letzte Antwort

4

Anmelden zum Antworten

16/18

10. Juni 2025, 20:13

T

Collective Shout Purge Sees Horror Games In Crosshairs
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 vor 10 Tagen
vor 14 Tagen
1

466 Stimmen

120 Beiträge

802 Aufrufe

S vor 10 Tagen

Mate, it just requires an address to transfer to. Nothing stopping an organisation like steam from making a wallet and accepting funds. This level of new inconvenience introduced might make it more appealing, not stupid.
S

Inflight Services Market to Hit USD 41.1 billion by 2033
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 vor 16 Tagen
vor 16 Tagen
1

0 Stimmen

1 Beiträge

11 Aufrufe

Niemand hat geantwortet
H

Reverse engineering the mysterious Up-Data Link Test Set from Apollo
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 vor 23 Tagen
vor 23 Tagen
1

42 Stimmen

2 Beiträge

28 Aufrufe

B vor 23 Tagen

Tech archeology like this is pretty neat.
1

People Are Being Involuntarily Committed, Jailed After Spiraling Into "ChatGPT Psychosis"
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 vor 22 Tagen
vor 25 Tagen
1

106 Stimmen

28 Beiträge

329 Aufrufe

D vor 22 Tagen

Wait, we need compulsory ID checks to visit adult content but no checks with Chatgpt who is there to help you plan your suicide? We are about to face an epidemic of AI cat fishing, scams, and unhealthy relationships that corporations are pushing on us. This is like the Atomic bomb only with propaganda and psychological manipulation. The war for the human mind just got a shortcut and the Techbros are in charge.
P

A Win for Fair Use Is a Win for Libraries: Recent legal decision has reaffirmed the power of fair use in the digital age, and it’s a big win for libraries and the future of public access to knowledge
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 30. Juni 2025, 07:07
29. Juni 2025, 14:39

172 Stimmen

8 Beiträge

83 Aufrufe

S 30. Juni 2025, 07:07

I wouldn't go quite as far. This is just breacrumbs falling of the corporate table.
J

Looking elsewhere
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 4. Juni 2025, 08:30
3. Juni 2025, 09:59
1

7 Stimmen

3 Beiträge

34 Aufrufe

J 4. Juni 2025, 08:30

That's a valid point! I've been searching for places to hangout for a while, sometimes called "campfires". Found a cool Discord with generous front-end folks (that's a broad spectrum!), on frontend.horse.
P

Mozilla is shutting down Pocket, their read-it-later and content discovery app, and Fakespot, their browser extension that analyzes the authenticity of online product reviews.
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 1. Juni 2025, 00:23
22. Mai 2025, 17:11
1

4 Stimmen

12 Beiträge

125 Aufrufe

G 1. Juni 2025, 00:23

Yeah, I don’t know how they’re doing it. They’re using some “zero trust” system. It’s beyond me.
L

GOP sneaks decade-long AI regulation ban into spending bill - Ars Technica
Beobachtet Ignoriert Geplant Angeheftet Gesperrt Verschoben Technology technology
18 13. Mai 2025, 22:40
13. Mai 2025, 21:15
1

87 Stimmen

10 Beiträge

141 Aufrufe

T 13. Mai 2025, 22:40

If you want to stay on the bleeding edge you've got to be a reversal of Europe, which means allowing innovation and competition. Hence why VT is nearly 70% US.