It’s not a newsflash that laptops’ webcams can be hacked, allowing remote eyes to peer out at unsuspecting users on the other end. But the news that hundreds of feeds from baby monitors, CCTV cameras and webcams from UK homes and businesses have been hacked and uploaded onto a Russian website takes things to a whole new level of creepy.
“The Russian site currently shows what is believed to be a child’s bedroom in Birmingham, a gym in Manchester, an office in Leicester, and a shop interior in London, among others,” UK newspaper the Independent reported.
The UK’s Information Commissioner’s Office (ICO) is urging British citizens to upgrade their passwords after the Russian site’s administrator told it that the purpose of the hack was to highlight poor security and password practices—and that the feeds will end "only when all cameras will be password protected,” the paper said.
Meanwhile, UK Information Commissioner Christopher Graham pledged to work with Russian authorities to take down the site.
Mark James, security specialist at ESET, said that the situation points out more than simply lax password practices. Basic common sense isn’t being used in the first place, he noted.
“It is down to the individual to decide where to place the camera—once placed, a decision should be made as to what is made available for online steaming,” he said in an email. “I totally understand why you would want to stream your front drive or even the alleyway providing access to the back of the house, but honestly in what situation would you need to stream your children’s bedroom outside of your private residence?”
Guillermo Lafuente, security consultant at MWR InfoSecurity, pointed out that often, users may not know that their cameras are open to the internet.
“The main problem with CCTV cameras and webcams is that they often allow remote access by default, and are preconfigured with credentials which are easy to find online or to guess,” he said in an email. “In some cases, the cameras do not require a password at all. Unless a firewall or any other protection mechanism is protecting the camera from remote access, it will be very easy for an attacker to access the camera and watch it live remotely.”
In fact, he said, it’s all too easy to pick off the vulnerable electronics. In order to find exposed cameras, an attacker can simply use an online search engine such as Google to type in a simple query, like: intext:"Hikvision" inurl:"login.asp".
“This will return a number of Hikvision cameras which are exposed to the internet,” Lafuente said. “There’s also a service called Shodan which contains a large index of internet-exposed devices, including IP cameras. If any of the exposed cameras discovered on Shodan or Google were configured with default credentials, then it would be straight forward for an attacker to compromise the camera and watch it.”
Thus, clearly, manufacturers can do a better job of alerting end users to the fact that a default password exists, with easy instructions on how to change it.
“To protect their security and privacy users need to ensure that these devices are correctly set up and where applicable new passwords or PINs are set,” said Hugh Boyes from the Institution of Engineering and Technology (IET), in an email. “It is basic cyber-hygiene like this which helps protect the security and privacy of children and it is particularly important where devices such as webcams are installed in bedrooms or other private spaces. As more consumer devices are networked as part of the emerging Internet of Things, this issue will become more pressing.”
One of the problems, of course, lies in consumer electronics business modeling: all of these devices tend to have razor-thin margins.
“Developers are also pressured to roll out devices to market quickly and cheaply —leaving little room, if any, to perform security scanning and testing during the development stage,” said Trustwave security tester David Bryan, who pointed out that these kinds of attacks have been around for more than three years—including instances of individuals compiling video camera footage and posting them on a website.
Users can and should take the reins on this, and always disable remote access to the camera unless they need it, and make sure to change the default password. Also, they should of course apply any patches released by the vendor.