While privacy and freedom fighters have long covered their webcams with stickers and plasters, news emerged this morning that a Russia-based website broadcasts live feeds of webcams, CCTV systems and baby monitors.
According to BBC News, the website contains thousands of live feeds from more than 250 countries and other territories. From the Uk there are at least 500 feeds, including an office in Warwickshire, a child’s bedroom in Birmingham and a home’s driveway in Nottinghamshire.
The kit has not been “hacked”; instead software and search tools have been used to scan the net for feeds that can be accessed using the cameras’ default settings, with China-based Foscam the most commonly listed brand, followed by Linksys and then Panasonic. This is what the industry has to say on this story:
Guillermo Lafuente, security consultant at MWR InfoSecurity
“The main problem with CCTV cameras and webcams is that they often allow remote access by default, and are preconfigured with credentials which are easy to find online or to guess. In some cases, the cameras do not require a password at all.
“Another common problem is that vulnerabilities are often found in the cameras, with public exploits readily available. If the vulnerability is critical and can allow an anonymous remote attacker to access the video stream then the vulnerable cameras can be easily exposed.
“Again, vulnerable devices can also be found via Google or Shodan. Since most end-users would not worry about applying patches, the cameras will remain vulnerable even if vendors release a security patch for the vulnerability. It is very easy to find cameras that are still vulnerable to exploits which are several years old.”
David Emm, principal security researcher at Kaspersky Lab
“The fact that a website is able to stream footage from thousands of cameras, illustrates the risks that consumers are taking by not changing the default passwords on camera enabled devices. It only takes a minute to change a password, and the longer it is left unchanged, the greater the chance that the device will be compromised.
“The problem’s not just restricted to IP devices, but to any device that has a connection to the internet. This includes devices that connect via a home router, such as baby monitors or webcams. It also includes mobile devices too. Our research has shown that two-thirds of us are unaware that cyber criminals can use malicious software to take over our mobile device camera. So clearly there’s some work that needs to be done in raising awareness of such threats.
“The problem is that we think of such devices – mobile phones, webcams, etc. – as our window on the world. But, we don’t realise that for cyber criminals it could be their window into ours if we don’t secure our devices. Hacking into a device’s camera offers those with malicious intent access to our images, our most intimate moments, our identities – and the people we want most to protect, such as our children.”
Mark James, security specialist at ESET
“It is down to the individual to decide where to place the camera – once placed, a decision should be made as to what is made available for online steaming. I totally understa
nd why you would want to stream your front drive or even the alleyway providing access to the back of the house but honestly in what situation would you need to stream your children’s bedroom outside of your private residence?
“One of the biggest problems with international boundaries is that the rules are governed by the country hosting the server. It is and always will be the problem with the internet until changes are made by an organisation with global authority but the chances of that happening are extremely slim.
“The end user needs to be fully aware that a default password exists with easy instructions on how to change it. The manufacturer could make a default password and then force the user to change it on first use to something other than itself, but it may drive the cost of the unit up. As for changing the password – the point here is not about how hard or long the password is, it’s about not using the default password.”
Ken Westin, security analyst at Tripwire
“Although this issue is currently getting a lot of attention in the media now, it is a problem that has existed for quite some time. The Russian website making these feeds public is creepy, however provides the public with visibility into what security researchers and malicious hackers have had access to for years.
“The silver lining of this is that people will become more aware of default settings of cameras and general security vulnerabilities in these devices.
“If you plan to use web cameras in your home or business it is critical that you not only change the default password of the camera, but also secure the network that device is on. If a web camera is on an open WiFi network for example I can get the camera feed by sitting outside your house. It is also recommended that you buy a camera from a reputable brand that also provides security updates to their firmware, so before buying a camera do your research and look into the security features offered by the camera.”
Chris McIntosh, CEO of ViaSat UK
“The fact that people’s private lives are being broadcast on the internet demonstrates that increased connectivity means cyber security is now an all-encompassing problem and the message on the need for robust data protection is still not getting through. Technology is only as good as the people that use it and the public needs to do its part by not leaving the door open to malevolent third parties.
“Using the default password on a consumer device is asking for trouble and was clearly demonstrated during the phone hacking scandal of 2011 when journalists accessed celebrities’ personal messages through using default passwords for different mobile networks. On the other hand, changing this to something as simple as ‘password1’ and using this over and over again between multiple devices isn’t much better; passwords need to be hard to guess and changed regularly to be effective.
“Another example that shows this is that the FBI was recently able to access a notorious hacker’s computer because they used their cat’s name as the password. In the future with the Internet Of Things connecting almost all consumer devices to the internet, practically any one will be at risk of being hacked or accessed by third parties so a robust approach to IT security needs to be put in place now and become second nature if we are to avoid cases like the Russian site being commonplace in the future.”