Webcams and Security - A match made in ...?
Posted by Gunter Ollmann on October 18, 2006 at 10:47 PM EDT.

There was an interesting post today (on MEMRI) about an Islamist website that reportedly posted details on how to use webcams to “spy on the enemies” and focuses on Anchorage International Airport.

I’m a little surprised that people are only now becoming aware of the security significance of public webcams.  In the past, when conducting penetration tests, webcams have cropped up at regular intervals, and clients have always been surprised at how they can be used by an attacker to increase the probability of success for their attack. 

As an example, a few years ago I was conducting a pentest for a very large international banking organization and we uncovered a webcam that had been mounted in the IT department overlooking everything.  While the picture quality of the webcam itself was not good enough to actually read any of the screens, it proved invaluable for conducing stealthy attacks.  Early on in the pentest we identified that they had an IDS system installed and were actively monitoring it.  Using the webcam, we were able to easily monitor when the clients monitoring teams changed shifts, went home for the evening and when they turned up for work the next morning.  Armed with this information it would have been trivial to coordinate a ‘noisy’ attack and slip out before anyone was in a position to raise the alert or respond.  In other cases it has been possible to monitor peoples hand movements over a keyboard as they type in their password to log in to their computer.

Now, on the point of someone monitoring airports for the purpose of doing something unscrupulous, I can see how this information would be extremely useful for planning purposes and even social engineering.  Just by going to a popular webcam portal (Earthcam) and searching on the keyword “Airport”, 185 webcams were returned ranging from Bankstown Airport in Sydney through to Shoreham Airport in England.

I suppose the scary thing is that the proliferation of public webcams is likely to keep on increasing.  Already you can take remote control of hundreds of high-street webcams – panning, tilting and zooming to your hearts content.  I wonder if organized crime have similarly been using public webcams to study local banks to find out when the staff arrive or leave for the day or when money is transferred by truck?  I’d be surprised if they haven’t already been tapping these valuable reconnaissance assets.
    Copyright 2001-2007 © Gunter Ollmann