When blackhats become heroes: the untold story of the Protocol Police

On Tuesday, May 7th, I was researching different Shodan filters when I received a private message on Twitter. The contents of that message made me sit down and rethink my strategies for #OpChildChildSafety. That’s because I learned how bad actors could compromise discoverable security cameras over the internet and use them to secretly watch children.

Right when I thought I had heard everything, it dawned on me with startling clarity that this was yet another avenue of warfare being waged to exploit children through an easily exploitable attack vector. The person bringing this to my awareness was none other than a true old-school cyber vigilante from a bygone era.

He was a member of a little-known black hat collective known as the Protocol Police. More importantly, irrespective of the hat he wore, I learned that this tight-knit group of cyber vigilantes had caused waves in the Netherlands in their fight to protect children online. Moreover, they had to fight the system to overcome legal barriers.

In the end, everyone won.

Google Dorking at a glance

I remember during the mid-2000s, I learned all about the insecurities of web-facing cameras and familiarized myself with installing them for home security. For one, I lived in a rough neighborhood in Arlington, Texas.

Secondly, I was a notorious blackhat computer hacker myself. After all, it wasn’t unreasonable that I wanted to be able to see if and when the FBI was about to kick in my door. ( Fun fact: They nabbed me at work, instead.)

Because I worked as a night shift security guard, my partner was prone to diabetic seizures in her sleep. Therefore, I installed a camera in our bedroom to monitor her and our newborn child while I was away. As part of my job description, I monitored domestic CCTV cameras, which is a vital aspect of perimeter security.

During this time, it became very popular among hacking communities to search for IP cameras by using advanced search filters called Google Dorking, also known as Google Hacking and Google-Fu.

This allows users to search the internet for vulnerable devices, misconfigured web services, and much more. Users can run searches that narrow down specific information, which is generally not searchable through conventional means. Even though the information is publicly accessible, Dorking can reveal sensitive information not meant for public viewing, such as IP cameras.

One time in 2008, I hacked into a remote desktop and accessed a convenience store’s CCTV camera system. It was interesting because I could tell if anyone was stealing. Because the desktop computer was facing a mirror, I could see what the store clerk could see on the desktop – if he ever paid attention. But he never saw the windows opening or the mouse moving.

A few years ago, I had friends visiting a popular restaurant in New York. Using Google Dorking techniques, I was able to locate and view streaming public CCTVs and traffic cameras. I was able to find a public-facing CCTV camera along the strip it was located half a block away and had them wave at me.

The security issue surrounding many searchable CCTVs and private IP cameras is that it is not uncommon for the people who install them to leave access to the cameras open authenticated, which requires no user login. This means anyone can start viewing or controlling the camera feeds.

While this may seem innocuous but extremely creepy at first glance, I want you to think about an unknown actor compromising insecure web-facing IP cameras or even baby cameras installed by parents in their children’s bedrooms. This is an actual problem. As a direct consequence of this unchallenged problem, the Protocol Police formed and did something about it.

Parents are largely unaware of the sheer scope of the online dangers aimed against their children daily. But installing poorly secured cameras in such private areas of our children’s lives is an entirely different matter.

It’s terrifying to think what a bad actor could do with private camera feeds of our children, where instead of being safe in their own homes, they are inadvertently placed in a new kind of unimaginable danger of being exploited.

What happens when cyber vigilantes band together to locate these cameras in an attempt to report them to Dutch law enforcement but are unable to investigate the matters due to privacy laws?

It takes a hacker to think like a hacker, and after two years of pushing these issues to the authorities, they made a breakthrough.

This is their story.

When hackers do the right thing

This all started when a self-described blackhat hacker and Red teamer named Rob searched through Shodan one day, merely sifting through information and driven by a strong wind of curiosity. At some point, he decided to poke his head into some of the public-facing IP cameras.

Those of us who do this are often interested in seeing remote locations we wish we could see in person. However, what he found disturbed him at his core: Nanny cameras. What’s worse, there were children on camera. The problem was how to report it. And to whom? Rob decided to notify the Dutch Police. After all, “We as hackers could never have made those parents feel at ease…” Rob explained.

Somewhere during this time, Rob and his friends formed a group known as the Protocol Police. In the grand scheme of things, these findings would ultimately change the trajectory of their lives as they worked together in spearheading a pivotal global #OpChildSafety initiative that needed immediate attention.

Regardless of the colored “hats” hackers wear and their respective differences with law enforcement, they knew they needed to approach the Dutch Police with these significant findings. Naturally, they were initially met with resistance. The Police were “not wanting to cooperate with scary hackers,” Rob explained.

After around three months of wrestling with the Police, who were hesitant to cooperate with the hacking group, it all started to come full circle after Rob gave a talk called “Around the world in 80 networks, Hacking Universities Worldwide” at the MCH2022 (May Contain Hackers 2022) grassroots cybersecurity conference held in the Netherlands. According to Rob, this got their attention. Now the Police wanted to talk.

They began to understand the ramifications of what the hackers were trying to convey, especially if they didn’t find a way to act on the information being presented to them. The goal was simple: find a way to inform the parents running these insecure web cameras.

The problem they ran into, like most law enforcement agencies, the Dutch Police cannot simply contact Internet Service Providers (ISP) and obtain user data for any reason – unless a crime was committed. They tried to devise lawful solutions around this, but there was no way to legally justify it. Police simply cannot request a judge to issue a subpoena without probable cause.

So the hacker and his friends decided to spin an idea.

They made themselves out to be the proverbial “suspects” behind the incidents they were reporting in order to satisfy the legal requirements that authorized law enforcement to open an investigation.

This way, the Dutch Police could receive authorization from a judge to subpoena the ISPs and obtain the parent’s contact information. In turn, the Police would be able to carry out home visits to the parents and reveal that their nanny cameras were viewable on the internet. The best part is that this was exactly what the Dutch Police were able to do.

This appears to be the extent of the blackhat’s involvement with the authorities. Neither motivated by fame-farming nor ill-gotten gains, the hacker continues his curiosity-driven quest to find vulnerabilities in devices across the internet in the way that hackers do and in the spirit of a forgotten generation that hacked for fun because it was intellectually stimulating.

protocol police hacking

On July 4th, 2023, local police Officer Jaap Molenaar posted on Twitter, “Based on the following, I made a home visit yesterday. Parents were happy!”

Rob recounts the experience, explaining, “We took down a couple of hundred cams where small children were exposed.”

He continued to explain how parents were glad the police came to them about their exposed cameras because it meant the Police, parents, (and the hackers) could fix the security issues by ensuring that the feeds were properly protected.

Even if it meant that the Dutch Police could never officially claim that the information they were acting upon was due to unofficial cooperation from hackers, the initiative was working.

In the culmination of everything that unfolded, the cyber vigilantes were able to accomplish what most of us previously thought was impossible: meet law enforcement halfway and build a bridge to cooperate for an important cause involving the safety of children.

Furthermore, the Protocol Police demonstrated the dire importance of this initiative by making a presentation to the Dutch police, calling attention to these paramount dangers against children.

Ultimately, this serves as a testament to us all. The Protocol Police were able to secure Police cooperation without jeopardizing their identities as blackhat hackers.