Webcam Videos Exposed by Weak Passwords
Russian Website Live-Streaming Feeds from Insecure Cameras
A website in Russia is streaming live footage accessed from security cameras used by businesses, closed-circuit television networks, and even built-in cameras on baby monitors around the world. The exposure of these videos highlights the dangers of weak passwords and the need for organizations to vet the security settings of their Internet-connected cameras and other devices.
The website is accessing the video feeds of the cameras by using the default login credentials for thousands of devices, the UK Information Commissioner’s Office warns in a Nov. 20 blog post. The devices’ default access credentials are public knowledge, and easily found online. Likewise, search engines such as Shodan make it easy for such websites – never mind unscrupulous corporate competitors or would-be stalkers – to automatically locate numerous types of Internet-connected devices, including webcams.
The commissioner’s report doesn’t name the Russian website that’s serving as a live-streaming portal for unsecured, Internet-connect cameras. But according to threads that began appearing in September on the website Reddit’s “creepy” forum – and subsequently in numerous press reports – the site is http://www.insecam.cc, which claims to be live-streaming footage from 125 different countries, listing 4,591 different feeds alone from the United States, 2,058 from France and 1,576 from the Netherlands. Feeds from Japan, Italy and the United Kingdom also are featured.
The site’s interface not only includes a stream from the camera, but also the camera’s geographical location – in latitude and longitude – although it’s not clear how accurate those coordinates might be. But according to the Reddit forum, multiple such sites exist, not all of which are publicly known, and there have been previous cases involving camera – including baby-monitor – hacking.
“We all need to be aware of the threats that exist to our personal information,” says Simon Rice, group manager for the technology team at the ICO. “If [not], then you’re leaving your information vulnerable, and no one likes being watched by a stranger.”
Rice encourages organizations and users to proactively change the default passwords installed on all Internet-connected devices, including webcams. Regardless, Rice recommends always picking a strong, difficult-to-guess password, as well as using two-factor authentication, whenever possible. “When you begin using your camera, you may be given a simple default password that you’ll need to enter to get the device working,” such as “password” or “12345,” he says. Some webcam manufacturers, such as Foscam, have configured their devices so that users must now select a unique password before they can begin using the device, but the “pick a strong password” advice still stands.
Many Internet-enabled cameras include additional, built-in security features, but these typically are not enabled by default and must be activated, Rice says, noting that taking just a few minutes to review the user manual will typically tell users everything they need to know about how to correctly lock down their device. “The ability to access footage remotely is both an Internet camera’s biggest selling point and, if not set up correctly, potentially its biggest security weakness,” he says. Accordingly, he recommends users review whether they need to remotely access the camera feed via the Internet at all, since that can be disabled while retaining the ability to access the camera feed via a local Wi-Fi network. Less technological approaches may also suffice for some users. “As a last resort, you can always cover the lens if you don’t want to use the camera all of the time,” he says.
Vetting for Security Gaps
Default passwords are easy prey for cybercriminals who target enterprises or consumers, says Al Pascual, director of fraud and security at Javelin Strategy and Research. “For something as remedial as passwords, basic management still remains a challenge, which only bolsters the argument that alternatives are sorely needed.”