Are people watching live footage of you from your webcam?! Change your default password, the data protection watchdog suggests.
Simon Rice, Group Manager for Technology at the Information Commissioner’s Office (ICO), was responding to a website based in Russia, that has been using the default login credentials, freely available online, for thousands of cameras.
Simon Rice blogged that the footage is being collected from cameras used by businesses and the public, ranging from CCTV to built-in cameras on baby monitors. “And with 350,000 of these cameras sold in the UK alone last year, this is a threat that all of us need to be aware of and be taking action to protect against.”
If you take only one security step with such products, make sure it’s setting a strong password, he advised.
“When you begin using your camera you may be given a simple default password that you’ll need to enter to get the device working. This might be blank or something as simple as ‘password’ or ‘12345’ but, even if it isn’t, the default passwords many manufacturers use are freely available online so make sure you get it changed. If the device doesn’t have a password, then, as a bare minimum, you should set one up. When choosing your password make sure it’s not one that can be easily guessed. Best practice is to use a password that contains a mixture of lower and upper case numbers, letters and characters – if you don’t; you’re potentially leaving your information vulnerable. This isn’t as inconvenient as it might sound, because if you are using a smart phone app to connect to the camera the app will remember the password for you.”
Settings
As for settings, he said: “Most camera systems come with instructions explaining how to keep the footage you’re capturing secure. While it’s perfectly natural for you to want to set your camera up as quickly as possible, take time to read the manual and familiarise yourself with the security options available to you. The ability to access footage remotely is both an internet cameras biggest selling point and, if not set up correctly, potentially its biggest security weakness. Remember, if you can access your video footage over the internet then what is stopping someone else from doing the same?
“You may think that having to type in an obscure web address to access the footage provides some level of protection. However, this will not protect you from the remote software that hackers often use to scan the internet for vulnerable devices. In some cases, insecure cameras can be identified using nothing more than an internet search engine. If you have a camera in your home and have no intention of viewing the footage over the internet, then the best thing to do is to go into the device’s security settings and see if you can turn the remote viewing option off. Selecting this option will not normally stop you from viewing the footage using your home Wi-Fi network, however read the manufacturer’s instructions to see what controls are available on your device. As a last resort, you can always cover the lens if you don’t want to use the camera all of the time.”
Comments
Pauline Norstrom, chief operating officer of surveillance technology solution company AD Group, is the chair of the British Security Industry Association (BSIA). She wrote that the issue of companies being vulnerable to having their cameras networks hacked is nothing new. “We find that about half of the companies and organisations we talk to, large and small, don’t have adequate precautions. Sometimes it is a lack of awareness or simply a sloppy approach towards the security of their networks. Yet the results of being hacked can be catastrophic.
“In the case of an organisation that was responsible for five schools, we found that two schools had cameras that could easily be accessed by outsiders. The potential results if unscrupulous intruders had exploited this vulnerability would have been extremely serious. Yet, such risks can be eliminated with quite straightforward security actions.
“With so many media stories about hacking such as the News International debacle, it should be a top priority to ensure that networks are protected. The hacking of cameras has a wider implication as it can lead onto phone lines, web servers and in turn access to personal and transactional data.
It all adds up to organisations not taking elementary and straightforward security precautions.
“Installers needs to guide their clients as many companies do not consider the issues and implications. The technology is there to prevent hacking. It is not overly complex to ensure networks are protected. Yet, the issue remains and we have not seen it diminish over the years.”
“Webcam technology is creeping into the security industry. This has made business more vulnerable to breaches in security. If businesses demonstrate awareness, action and vigilance, they will go a long way to being secure.
“Closed IPTV solutions ensure your IP video systems are completely protected from malicious threats – and still be able to access the system from the corporate network without creating any vulnerabilities as a result.”
David Emm, principal security researcher at the IT security product firm Kaspersky Lab, has written on the risks consumers are taking by not changing default passwords.
David Emm said: “The fact that a website is able to stream footage from thousands of cameras, illustrates the risks that consumers are taking by not changing the default passwords on camera enabled devices. It only takes a minute to change a password, and the longer it is left unchanged, the greater the chance that the device will be compromised. The problem’s not just restricted to IP devices, but to any device that has a connection to the Internet. This includes devices that connect via a home router, such as baby monitors or webcams. It also includes mobile devices too. Yet, our research has shown that two-thirds of us are unaware that cybercriminals can use malicious software to take over our mobile device camera. So clearly there’s some work that needs to be done in raising awareness of such threats.
“The problem is that we think of such devices – mobile phones, webcams, etc. – as our window on the world. But, we don’t realise that for cybercriminals it could be their window into ours if we don’t secure our devices. Hacking into a device’s camera offers those with malicious intent access to our images, our most intimate moments, our identities – and the people we want most to protect, such as our children.”
Ken Westin, security analyst at Tripwire, said: “Although this issue is currently getting a lot of attention in the media now, it is a problem that has existed for quite some time. The Russian website making these feeds public is creepy, however provides the public with visibility into what security researchers and malicious hackers have had access to for years. The silver lining of this is that people will become more aware of default settings of cameras and general security vulnerabilities in these devices. If you plan to use web cameras in your home or business it is critical that you not only change the default password of the camera, but also secure the network that device is on. If a web camera is on an open Wi-Fi network for example I can get the camera feed by sitting outside your house. It is also recommended that you buy a camera from a reputable brand that also provides security updates to their firmware, so before buying a camera do your research and look into the security features offered by the camera.”
And Mark James, security specialist at ESET, said: “It is down to the individual to decide where to place the camera – once placed, a decision should be made as to what is made available for online steaming. I totally understand why you would want to stream your front drive or even the alleyway providing access to the back of the house but honestly in what situation would you need to stream your children’s bedroom outside of your private residence?
“One of the biggest problems with international boundaries is that the rules are governed by the country hosting the server. It is and always will be the problem with the internet until changes are made by an organisation with global authority but the chances of that happening are extremely slim.
“The end user needs to be fully aware that a default password exists with easy instructions on how to change it. The manufacturer could make a default password and then force the user to change it on first use to something other than itself, but it may drive the cost of the unit up. As for changing the password – the point here is not about how hard or long the password is, it’s about not using the default password.”
