Sophos Cloud Optix
In 2013, a cyber creep took over a baby monitor to spy on a 2-year-old Texas girl, to broadcast obscenities at the child, to swivel the camera so as to watch her shocked parents as they came in, and to then call the parents insulting names.
Her father was shocked. Both the router and the IP camera were password-protected, he said, and the firewall was enabled.
But even if the equipment was protected after a fashion, the protection you get from default passwords is about as strong as wishful thinking and spiderwebs, given how easy it is for crooks to guess their way in.
Now, thanks to a site that’s making extremely dubious white-hat claims about pointing out the dangers of not changing default passwords on IP cameras, it’s clear exactly how far into our lives e-marauders can get: besides feeds from baby monitors in nurseries around the world, the site allows strangers to spy on people via security webcams delivering live feeds from bedrooms, other rooms in residential homes, offices, shops, restaurants, bars, swimming pools and gymnasiums.
The site, Insecam.com, claims to tap into the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries – including, for example, Thailand, Sudan, the Netherlands, the UK, the US, Bolivia, Korea, and China.
As of Monday morning, the site listed 2242 systems in the UK. The US had 11,046.
The site was recently discovered by the Daily Mail and subsequently named and dissected by Motherboard.
According to the Mail on Sunday, the site was hosted by a company called MediaNet based in the Moldovan capital, Chisinau.
But Motherboard has since noted that it’s moved to an IP address in Moscow, hosted by GoDaddy.
At any rate, English isn’t the operator’s first language, as shown by the homepage’s raison d’être:
Sometimes administrator (possible you too) forgets to change default password like 'admin:admin' or 'admin:12345' on security surveillance system, online camera or DVR. Such online cameras are available for all internet users. Here you can see thousands of such cameras located in a cafes, shops, malls, industrial objects and bedrooms of all countries of the world. To browse cameras of the world just select the country or camera type.
This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera password.
Motherboard exchanged emails with the operator of the site, who said that to date, nobody’s requested that their camera feed be taken down.
Mind you, as the site itself points out, it doesn’t require “hacking” to find unsecured video feeds online. Its FAQ even provides links to tools that do the searching for you.
But please don’t. The people being spied on aren’t guilty of whatever lax security in the internet-enabled cameras allowed their privacy to be invaded.
Yes, they could have changed their default passwords, but in many cases, these cameras are installed by third parties who should do so but don’t. That’s no reason to invade the homes of their hapless clients.
It’s not a crime to have a weak password. But it is, however, a crime to break into a computer, even if doing so only requires somebody to correctly guess that the password is “password”.
Jay Leiderman, a US lawyer with experience in computer intrusion cases, told Motherboard’s Joseph Cox that Insecam is flagrantly breaking US law:
It is a stunningly clear violation of the Computer Fraud and Abuse Act (CFAA).
Reporters at the Daily Mail last week spent 2 hours watching footage. This is what they report being able to view on IP cameras in the UK:
- Babies in cots
- A schoolboy playing on his computer at home in North London
- Another boy asleep in bed
- The inside of a Surrey vicar’s church changing room
- An elderly woman relaxing in an armchair
- Two men in a kitchen sharing a meal
We’ve chosen not to insert any images taken from Insecam here – blurred-out faces or no.
If you’re using a home security camera, a baby monitor, or a video camera to secure your business, please, please be careful with these devices’ security.
That starts with changing default passwords.
If somebody else has installed a camera for you or for any of your colleagues, friends or family, please grill the installer for details on what type of password the device shipped with: whether it was unique to the device (preferable) or required a password change upon installation (ditto) or whether it had a default password that needs changing.
Keep an eye on those cameras.
They’re sure as hell keeping an eye on us.
Image of webcam courtesy of Shutterstock.
Is it really that hard to actually WALK into your baby’s room to check on him/her? Are you really going to parent from afar? What in the world do you you need a webcam stream in your own house for?
Because you can!
I can see good reasons. It can take less than 30 seconds for some one to grab a kid from their bed and leave. Even the best parent can not be in the room with their kids 24/7 with no break. Bars on the windows = dead kids in the case of a fire etc. So that’s out. With a security system and camera any kidnapper who does a snatch and run will be on film and that film can and does lead to arrests. Many baby monitors are sensitive enough to pick up breath sounds and can alert a parent if the child stops breathing.The problem here is not having a cam it is having it online and there is no real need for that.
If course its not hard to go into their room. Thats not the point. Using an IP cam, you can check if your child is asleep, without going into their room and potentially disturbing them. Constantly going into the room can be counter productive if you have a restless child. Also, children can wake up, sit bolt upright in their beds, and not made a sound for some time. Having an IP cam allows you to spot this easily, again without having to go in many times and potentially disturbing a child if they are asleep.
Its easy to make a kneejerk reaction, but there are many valuable and practical uses for cameras in childrens rooms.
In the case of IP cameras accessible on the internet as these are the camera owner may wish to observe the child or elderly relative while they are away, whether that be at work or on holiday while a child minder or nurse is taking care of the vulnerable person.
All sorts of abuses can and do occur to children and the elderly when being looked after at home or in nursing homes, a live or recorded video stream offers some level of security or accountability. Honestly, you only need look at the news to see examples of child and elder abuse, ridiculing those using technology to protect those they love is so wrong.
I know that I can potentially get blamed for blaming the victims, again, as I did in an previous story. This story reminds of “ignorance of the law is not an excuse.” In this case, “but I didn’t know the Internet was not secure and a giant sewer.” Wait before you tell me not to blame the victims, the problem with so much of human innovation is that we invent things but do not fully understand how to use them safely; the best example is the atomic bomb, but think about how technology sometimes runs amuck because it is not fully understood.
There is no obvious disclaimer when you buy a device with a camera telling you that it is not secure. I teach computer classes, and people are shocked when I tell them that the Internet is not secure, be careful what you click on, and there should be no inherent expectation of privacy with ANYTHING connected to or posted on the Internet. So I don’t blame the victims. It’s the Internet sewer dwellers that commit the crime. But it is a matter of informing people about the dangers; most people would not go for a walk at night in a really dangerous neighborhood. We require driver’s licenses so people know how to drive, but anyone can buy a computer, connect it to the Internet, get an e-mail account, be phished and give up personal information, all because no one ever told them the Internet was dangerous.
I work with people who are educated and they still save their personal login info in browsers on computers that other people have access to. One more thing, the computer and Internet security class I teach is the most poorly attended class; last month no one showed up for one session.
Really… “The atomic bomb”? There’s only one use for an atomic bomb and I think we all understand what will happen if it’s ever used again… but we’re talking about using default passwords on a system connected to the Internet, and rather than discuss what we already know about that, I’ll just ask, why can’t the companies that make these devices configure them to;
a) Force a Password Change prior to use?
b) Disallow weak passwords, force usage of secure complex passwords?
c) Memorize prior passwords?
Not all people who buy these devices know or understand, or even want to know or understand any of the technical things about it, they just want it to work or do whatever it is they bought it to do… default passwords… no problem, my firewall is on.
My point is that humans invent new technology and don’t foresee the consequences. The atomic bomb is a meant to be an extreme example, but personally the Internet (of Things) is not too far behind. Wait until some foreign entity shuts down our power grid or makes a reactor melt down or shuts off the water supply, need more examples. And please if someone can prove to me that this will not happen, I am willing to listen. Until then I await the next Stuxnet.
And the folks that run these things are just like the ones who don’t change the default passwords. In fact some of them are the same, I see it all the time, as when an HVAC tech tells me the password is 12345678 (that actually happened, I was speechless).
“This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera password.”
I can almost read the comments about privacy hacking and other nonsense… but if all you need to do is change the password, (something that should have been the 1st step in setting up the device) what’s the problem? You most like will find these devices and more using SHODAN.
Because how likely is it that all the people on that site are going to find out they are on it? And if they ever did find out, and changed their passwords, well that’s not going to change the fact that thousands of people could have watched them changing in their bedrooms or doing whatever before they found out. How that is hacking into peoples’ webcams and indiscriminately letting anybody watch them not problematic to you?
Sorry Tara… but that’s not “hacking” if you do not change a password that is available to anyone who wants to Google that type of information. Sure, nobody should be subject to that but I honestly cannot find any sympathy for someone who does not read or follow instructions completely, and I’m sure that most if not all of these device vendors are warning people to change the default passwords and even if they don’t, in this day and age you should know better, especially if you decide to put this technology in your homes… if it makes it easy for you, chances are it makes it easier for the bad guys too.
Look! Someone’s left a downstairs window open! Let’s go into their yard, grab their dustbin, and tip the contents through the window!
Imagine the looks on their faces when they get home…*that’ll* teach them not to take security risks like that again.
And it’s *their* dustbin, *their* waste and *their* window, so they can’t complain.
What do you think a cop would say to those people… “you should have closed and locked your windows…” maybe?
Sure it’s wrong to go into that house, but it’s just as dumb to put your family at risk… wouldn’t you agree?
Mr. Ducklin, IMO I’d think you would surely agree that a default password is akin to no password at all, and true enough that’s no reason to violate it, but its also no valid reason to complain when it is violated.
You know, we talk about security on this site but when poor security practices are highlighted, such as using default passwords on a device connected to the Internet and that device is compromised because of that default password, all anyone can focus on is “those bad people doing those bad things”… instead of asking why wasn’t the password changed which could have prevented the compromising action in the first place.
Kudos for opting not to publish any screenshots from the site, unlike others’ dubious coverage of the story. It’s more than a little hypocritical to rant about the invasion of privacy while perpetuating that violation.
Thanks, Anonymous. It was tempting to use a selection of the images to help illustrate the story but because they were acquired without the slightest nod to decency, privacy (or legality, in all likelihood) I made a decision not too. All the people in these screenshots/videos looked so vulnerable and obviously unaware that they were being spied on, I felt embarrassed to even be looking at screenshots put up by news outlets.
A site like this could get in REALLY big trouble, at least in the US. It is a federal crime to disseminate pictures or video of naked minors. If the camera feed happened to be on while the baby is changed, and this web site showed that video on its website, they’re almost certainly guilty of a child porn law violation.
I consider them scum in the first place, but this could make them inmates.
They call them baby monitors, but their use is not limited to watching babies. I have an elderly parent who lives alone, and I have (with permission) a baby cam to monitor the kitchen and living room. That way, if I call and there is no answer, I can see if my parent is collapsed on the floor. I can, long distance, call an ambulance. My parent is perfectly competent and wants to live independently; this is just a security measure we both appreciate.
So yes, there are reasons for an Internet-enabled monitor.
Plus there have been enough instances of a nanny mistreating a child that I could see a parent wanting to be able to check in from work.
Thanks for the comment, Claire. You’re right, these cams are used on the elderly, as well. I sympathize with your wanting to keep an eye on your parent. My own mother fell down and broke her hip a few years back, and as a result I got her one of those “Help I’ve Fallen” gizmos. Have you looked into those? They instantly put through a call to emergency services. They’ll call your parent, check to see if s/he’s OK, and if they don’t get an answer, the ambulance will be at the door, lickety-split. They’ll also call whoever is listed as a fallback—as I and my brothers both are.
It’s been such a relief to know she won’t be lying on the floor without help. I highly recommend those gadgets.
You’re talking in contradictions. You admit that unauthorised access, even to a poorly secured system, is “a violation.” So, pretty much by definition, there’s no way it can be “invalid” for me to complain about it.
If you wander into my house because I inadvertently left the door unlocked…
…I’m not going to accept your presence as valid in any way.
That’s all I’m saying.
I ran across the article when searching to upgrade my home dvr security system. I am also guilty of leaving the default password on our current dvr unchanged. It’s changed now and my hopes are our cams were not up on that sight.
Even when one buys a new wireless router these days It has its own unique SSID and unique Network Security Key. It not a very hard and really an easy step for the manufacturers of Security Devices ie: cameras and DVR’s that connect to the internet to do so. This also more or less forces the end user to log on before use and be more “aware” of the security features. IMHO the manufacturers are being irresponsible and saving a few pennies by continuing to do so.
Firewall or not you should never leave default passwords on any of your equipment. Especially if your network is connected to the internet.
A couple of points
– Firewalls can easily be bypassed in a number of ways
– Think before you click, phishing and spam emails are common method
– Leaving default passwords just opens you up for more exposer
While sites like this cross a line when it comes to criminal law in some countries, it does bring awareness to the problem of default passwords.