variety of filters. Shodan continuously locates and queries devices all over the Internet to index
the services running on them.
FIGURE 3-2. The Shodan search engine
According to research published in a paper titled “Exploiting Foscam IP Cameras”, the
web server running on Foscam devices returns the value Netwave IP Camera (later versions of
Foscam devices and firmware have the value Boa/0.94.13) in the Server field as part of the
HTTP response. Using this information, it is easy to query Shodan to find the IP addresses of
Foscam devices, as shown in Figure 3-3.
As you can see from the Shodan query in Figure 3-3, about 700,000 IP addresses were
instantly found in response to our query. This demonstrates how easy it is for a potential
attacker to locate vulnerable devices such as Foscam baby monitors and exploit known vulner-
abilities.
THE FOSCAM INCIDENT 63