In 2013, a cyber creep took over a baby monitor to spy on a 2-year-old Texas girl, to broadcast obscenities at the child, to swivel the camera so as to watch her shocked parents as they came in, and to then call the parents insulting names.
Her father was shocked. Both the router and the IP camera were password-protected, he said, and the firewall was enabled.
But even if the equipment was protected after a fashion, the protection you get from default passwords is about as strong as wishful thinking and spiderwebs, given how easy it is for crooks to guess their way in.
Now, thanks to a site that’s making extremely dubious white-hat claims about pointing out the dangers of not changing default passwords on IP cameras, it’s clear exactly how far into our lives e-marauders can get: besides feeds from baby monitors in nurseries around the world, the site allows strangers to spy on people via security webcams delivering live feeds from bedrooms, other rooms in residential homes, offices, shops, restaurants, bars, swimming pools and gymnasiums.
The site, Insecam.com, claims to tap into the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries – including, for example, Thailand, Sudan, the Netherlands, the UK, the US, Bolivia, Korea, and China.
As of Monday morning, the site listed 2242 systems in the UK. The US had 11,046.
According to the Mail on Sunday, the site was hosted by a company called MediaNet based in the Moldovan capital, Chisinau.
But Motherboard has since noted that it’s moved to an IP address in Moscow, hosted by GoDaddy.
At any rate, English isn’t the operator’s first language, as shown by the homepage’s raison d’être:
Sometimes administrator (possible you too) forgets to change default password like 'admin:admin' or 'admin:12345' on security surveillance system, online camera or DVR. Such online cameras are available for all internet users. Here you can see thousands of such cameras located in a cafes, shops, malls, industrial objects and bedrooms of all countries of the world. To browse cameras of the world just select the country or camera type.
This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera password.
Motherboard exchanged emails with the operator of the site, who said that to date, nobody’s requested that their camera feed be taken down.
Mind you, as the site itself points out, it doesn’t require “hacking” to find unsecured video feeds online. Its FAQ even provides links to tools that do the searching for you.
But please don’t. The people being spied on aren’t guilty of whatever lax security in the internet-enabled cameras allowed their privacy to be invaded.
Yes, they could have changed their default passwords, but in many cases, these cameras are installed by third parties who should do so but don’t. That’s no reason to invade the homes of their hapless clients.
It’s not a crime to have a weak password. But it is, however, a crime to break into a computer, even if doing so only requires somebody to correctly guess that the password is “password”.
Jay Leiderman, a US lawyer with experience in computer intrusion cases, told Motherboard’s Joseph Cox that Insecam is flagrantly breaking US law:
It is a stunningly clear violation of the Computer Fraud and Abuse Act (CFAA).
Reporters at the Daily Mail last week spent 2 hours watching footage. This is what they report being able to view on IP cameras in the UK:
- Babies in cots
- A schoolboy playing on his computer at home in North London
- Another boy asleep in bed
- The inside of a Surrey vicar’s church changing room
- An elderly woman relaxing in an armchair
- Two men in a kitchen sharing a meal
We’ve chosen not to insert any images taken from Insecam here – blurred-out faces or no.
If you’re using a home security camera, a baby monitor, or a video camera to secure your business, please, please be careful with these devices’ security.
That starts with changing default passwords.
If somebody else has installed a camera for you or for any of your colleagues, friends or family, please grill the installer for details on what type of password the device shipped with: whether it was unique to the device (preferable) or required a password change upon installation (ditto) or whether it had a default password that needs changing.
Keep an eye on those cameras.
They’re sure as hell keeping an eye on us.Follow @NakedSecurity