Webcam Videos Exposed by Weak PasswordsRussian Website Live-Streaming Feeds from Insecure Cameras
A website in Russia is streaming live footage accessed from security cameras used by businesses, closed-circuit television networks, and even built-in cameras on baby monitors around the world. The exposure of these videos highlights the dangers of weak passwords and the need for organizations to vet the security settings of their Internet-connected cameras and other devices.
The website is accessing the video feeds of the cameras by using the default login credentials for thousands of devices, the UK Information Commissioner's Office warns in a Nov. 20 blog post. The devices' default access credentials are public knowledge, and easily found online. Likewise, search engines such as Shodan make it easy for such websites - never mind unscrupulous corporate competitors or would-be stalkers - to automatically locate numerous types of Internet-connected devices, including webcams.
The commissioner's report doesn't name the Russian website that's serving as a live-streaming portal for unsecured, Internet-connect cameras. But according to threads that began appearing in September on the website Reddit's "creepy" forum - and subsequently in numerous press reports - the site is www.insecam.cc, which claims to be live-streaming footage from 125 different countries, listing 4,591 different feeds alone from the United States, 2,058 from France and 1,576 from the Netherlands. Feeds from Japan, Italy and the United Kingdom also are featured.
The site's interface not only includes a stream from the camera, but also the camera's geographical location - in latitude and longitude - although it's not clear how accurate those coordinates might be. But according to the Reddit forum, multiple such sites exist, not all of which are publicly known, and there have been previous cases involving camera - including baby-monitor - hacking.
"We all need to be aware of the threats that exist to our personal information," says Simon Rice, group manager for the technology team at the ICO. "If [not], then you're leaving your information vulnerable, and no one likes being watched by a stranger."
Rice encourages organizations and users to proactively change the default passwords installed on all Internet-connected devices, including webcams. Regardless, Rice recommends always picking a strong, difficult-to-guess password, as well as using two-factor authentication, whenever possible. "When you begin using your camera, you may be given a simple default password that you'll need to enter to get the device working," such as "password" or "12345," he says. Some webcam manufacturers, such as Foscam, have configured their devices so that users must now select a unique password before they can begin using the device, but the "pick a strong password" advice still stands.
Many Internet-enabled cameras include additional, built-in security features, but these typically are not enabled by default and must be activated, Rice says, noting that taking just a few minutes to review the user manual will typically tell users everything they need to know about how to correctly lock down their device. "The ability to access footage remotely is both an Internet camera's biggest selling point and, if not set up correctly, potentially its biggest security weakness," he says. Accordingly, he recommends users review whether they need to remotely access the camera feed via the Internet at all, since that can be disabled while retaining the ability to access the camera feed via a local Wi-Fi network. Less technological approaches may also suffice for some users. "As a last resort, you can always cover the lens if you don't want to use the camera all of the time," he says.
Vetting for Security Gaps
Default passwords are easy prey for cybercriminals who target enterprises or consumers, says Al Pascual, director of fraud and security at Javelin Strategy and Research. "For something as remedial as passwords, basic management still remains a challenge, which only bolsters the argument that alternatives are sorely needed."
When organizations deploy networked cameras, they need to ensure they're following basic security standards, says David Bryan, principal security consultant at Trustwave, a data security firm. Beyond using strong passwords, "look to make sure the products have implemented encryption, and follow open standards for encrypting their traffic," he says.
Also, manufacturers of Internet-connected technologies, including webcams, need to perform security reviews of their systems before they are put on the market, Bryan says. "Reviews include security scanning and testing to help identify and remediate security weaknesses before the products go to market."
Information security experts recommend cataloging all such Internet of Things devices that get deployed in the enterprise, and regularly checking to see if manufacturers have issued security patches or firmware updates for the devices. Historically, security researchers have found vulnerabilities in numerous types of webcams that would allow an attacker to bypass authentication controls on the devices, thus accessing feeds without having to know the username or password. After such reports get published, some - but not all - vendors will release updates that remediate the vulnerabilities. But vendors do not always publicize the new firmware or issue related alerts directly to customers.