Live video feeds from UK schools are being streamed by a website that collects them from cameras that aren’t properly protected with passwords.
That is, feeds of restrooms, playgrounds and corridors, both inside and outside the buildings, that show school kids as young as infants, teachers, parents and cleaning staff – all freely available to any creep or crook who likes that kind of thing.
The Daily Mail picked up on the site’s antics, reporting on Sunday that it was seeing live feeds from security cameras in “at least” four British schools.
The publication didn’t mention the name of the site. But it did report that the site boasted this:
Watch live surveillance cameras in the UK
…a search term that points to a site found to be doing the exact same thing in the past. In 2014, reporters at the Daily Mail found that a similar site was streaming feeds from IP cameras in the UK that showed lots more besides schoolkids, including:
- Babies in cots
- A schoolboy playing on his computer at home in North London
- Another boy asleep in bed
- The inside of a Surrey vicar’s church changing room
- An elderly woman relaxing in an armchair
- Two men in a kitchen sharing a meal
I checked in on that company to find out if it’s responsible for the material the Daily Mail found this time around, which included:
- Seven CCTV cameras being live streamed from Highfield Leadership Academy in Blackpool, whose student body includes 1,130 pupils aged between 11 and 16.
- Infant school children leaving their classrooms and being picked up by parents at St Mary’s Catholic Academy in Blackpool, which has 1,188 students enrolled.
The site the Daily Mail reported on in 2014 still calls itself the world’s biggest directory of online surveillance security cameras: one that lets you pick a country from which to watch “live street, traffic, parking, office, road, beach, earth online webcams,” all live, all available online because they aren’t secured with a password.
But the site also assures visitors that it’s now only offering feeds from “filtered cameras,” whatever that means. At any rate, the site says that at this point, “none of the cameras … invade anybody’s private life” and that if any “private or unethical camera” is found, it “will be removed immediately upon email complaint.”
Mind you, we have no clue if this is the same site. I asked, and I’ll update the story if I hear back.
In the meantime, the Daily Mail reports that staffers at St Mary’s and Highfield “strengthened” their passwords, “thereby removing cameras from the site.” Likewise, Jeremy Hartley, of the Eric Wright Group, which runs CCTV systems at two of the schools, said that the camera feeds were “immediately” taken offline and that technology experts are investigating the breach and the cause.
The site is reportedly in the US. It’s denied wrongdoing, saying that cameras simply need more security. The UK’s Information Commissioner’s Office has launched an investigation.
Is it a privacy breach, when someone isn’t using a password on their IP camera, or they don’t change the default password it shipped with?
Absolutely. Back in the 2014 incident, Jay Leiderman, a US lawyer with experience in computer intrusion cases, said that streaming private video streams is flagrantly breaking US law:
It is a stunningly clear violation of the Computer Fraud and Abuse Act (CFAA).
Even if you use that withered old prune “password” as a password, it’s still illegal for somebody to access your device unless they’ve been authorized to do so. As these type of sites are happy to point out, it doesn’t require “hacking” to find unsecured video feeds online. The FAQ for one of them even provides links to tools that do the searching for you.
But please don’t. The people being spied on aren’t guilty of whatever lax security in the internet-enabled cameras allowed their privacy to be invaded.
Yes, people with IP cameras can change their default passwords, and they absolutely should. But in many cases, these cameras are installed by third parties who should do so but don’t. That’s no good reason to invade the homes – or schools – of their hapless clients.
Whether the cameras are in locker rooms, nurseries, people’s homes, or trained on our kids, if somebody else has installed a camera for you or for any of your colleagues, friends or family, please do grill the installer for details on what type of password the device shipped with: whether it was unique to the device (preferable) or required a password change upon installation (ditto) or whether it had a default password that needs changing.
If it does have a default password, please change it to something unique and hefty! If it has no password at all? Ditto!
6 comments on “Insecure CCTV feeds of kids at school are being streamed live online”
Can we get a follow up on the story of why and who: “The inside of a Surrey vicar’s church changing room”
The other ones sound like bad security on the cam (and aiming at a toilet wtf) but “inside a changing room” and at a church, that’s sounds like a bigger story.
Yes, it does sound like a bigger story. But not, in my view, one for Naked Security to probe. Leave that to the Times or BBC – and I would not be surprised to learn that they are already on it.
People wanted CCTV everywhere, well, now you have CCTV everywhere, a dream come true.
And it gets better, you can now have cameras in kids toys and a voice recording device at home listening to everything you say, at the end of the day the consumer/voter decides, they picked it, now let´s enjoy it.
Well even if that particular website has suddenly become moral you’ll still be able to find those feeds on Shodan
The summerhill school state the mail only used the photos and there was no breach of security. Is this correct as reading your article it sounds like the summerhill school were hacked?
Apologies, this was an error in the article. It has now been corrected.