Is someone watching you right now? A warning as website targets insecure webcams

By Simon Rice, Group Manager for Technology

main-highlight-webcam-securityThe danger of using weak passwords has been exposed again this month after a new website was launched that allows people to watch live footage from some of the insecure cameras across the world. The website, which is based in Russia, accesses the information by using the default login credentials, which are freely available online, for thousands of cameras.

The footage is being collected from security cameras used by businesses and members of the public, ranging from CCTV networks used to keep large premises secure, down to built-in cameras on baby monitors. And with 350,000 of these cameras sold in the UK alone last year, this is a threat that all of us need to be aware of and be taking action to protect against.

So what actions should you be taking right now to make sure people aren’t able to access the information being filmed by your device?

Change your default password

password-nopadlockIf you take only one security step when getting any new device, make sure it’s setting a strong password.

When you begin using your camera you may be given a simple default password that you’ll need to enter to get the device working. This might be blank or something as simple as ‘password’ or ‘12345’ but, even if it isn’t, the default passwords many manufacturers use are freely available online so make sure you get it changed. If the device doesn’t have a password, then, as a bare minimum, you should set one up.

When choosing your password make sure it’s not one that can be easily guessed. Best practice is to use a password that contains a mixture of lower and upper case numbers, letters and characters – if you don’t; you’re potentially leaving your information vulnerable. This isn’t as inconvenient as it might sound, because if you are using a smart phone app to connect to the camera the app will remember the password for you.

You can get more information about choosing better passwords at Get Safe Online.

Check all the available security settings

settings-nopadlockMost camera systems come with instructions explaining how to keep the footage you’re capturing secure. While it’s perfectly natural for you to want to set your camera up as quickly as possible, take time to read the manual and familiarise yourself with the security options available to you.

The ability to access footage remotely is both an internet cameras biggest selling point and, if not setup correctly, potentially its biggest security weakness. Remember, if you can access your video footage over the internet then what is stopping someone else from doing the same?

You may think that having to type in an obscure web address to access the footage provides some level of protection. However, this will not protect you from the remote software that hackers often use to scan the internet for vulnerable devices. In some cases, insecure cameras can be identified using nothing more than an internet search engine.

If you have a camera in your home and have no intention of viewing the footage over the internet, then the best thing to do is to go into the device’s security settings and see if you can turn the remote viewing option off. Selecting this option will not normally stop you from viewing the footage using your home Wi-Fi network, however read the manufacturer’s instructions to see what controls are available on your device. As a last resort, you can always cover the lens if you don’t want to use the camera all of the time.

Secure all of your other devices with an internet connection

devices-nocontrollerWebcams aren’t the only devices that hackers may be able to access remotely.

Think of how much personal information is stored on your laptop or tablet. You may have financial information, including bank statements, health information, such as letters from your local hospital, or other information you’d rather keep private, for example an application for a new job.

Many programs and apps also now upload and store your information on cloud servers rather than, or as well as, the device’s hard drive. While there are new storage devices, known as personal cloud servers, that sit in your home and allow you to access the files stored on them remotely using the internet connection in your home.

The use of the cloud and all of these devices further increases the amount of information that’s potentially available if you fail to take adequate steps to keep your information secure.

You should already have a strong password on your laptop, tablet or computer to stop a person accessing the information on your device or on the cloud service it uses. However, some cloud services allow you to go a step further by offering two-step authentication.

Two-step authentication offers you an additional layer of security when logging in to an online service. It often works by asking you a security question, or by sending a code to your mobile phone that you must enter during the login process. So if you have this option turned on, your information should still remain secure even if your password is compromised.

We all need to be aware of the threats that exist to our personal information. However, the basic steps covered in this blog are one’s all of us should be taking as a matter of routine. If you don’t, then you’re leaving your information vulnerable and no one likes being watched by a stranger.

You can find further advice to help you protect your personal information online and when using other electronic devices on the ICO website.

The ICO is working with other global data protection and privacy authorities on collaborative action connected to the website showing unsecure webcam images, while advising people on the steps they can take to protect their information.

Simon RiceSimon Rice is the Group Manager for the Technology team which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.

Last updated 20/11/2014 00:01

This entry was posted in Simon Rice and tagged , , , , , , , , . Bookmark the permalink.

10 Responses to Is someone watching you right now? A warning as website targets insecure webcams

  1. Steve Phelps says:

    Paul Graham said on the BBC Today Programme “If you value your privacy put in the basic security arrangements. It’s not difficult”.

    However, the UK and USA intelligence agencies have sytematically attempted to introduce weaknesses and back-doors into consumer hardware and software (https://web.archive.org/web/20140725112229/http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?_r=0), thus making it virtually impossible for citiziens of any country, the UK included, to secure their electronic privacy. What is the information commissioner doing to resolve this issue? Are you lobbying the government to take privacy seriously in the wake of the Snowden revelations?

  2. Back in 2003 I (and no doubt many others) demonstrated this vulnerability/threat combination to privacy within info sec courses and public demonstrations. It appears then that nothing much as changed over the last 11 years.

  3. Steve says:

    Good passwords are all very well: “use a password that contains a mixture of lower and upper case numbers, letters and characters”.
    So you need one set for each bank account, another set for each email address, then for a phone provider, online bills, local machine (computer), mobile phone… Assume a set of two (user name & PW) for each, that’s already 7 sets minimum. All different and not easy to guess of course.
    Save it in an app or on a computer? Well all these items can fail or run out of battery when you need them.
    So you end up writing them all down or select something you can remember, but that won’t be complex then.
    Security compromised through complexity!

    Any solution? One cannot just keep asking for more complexity. It’s doesn’t take humans into account!

  4. Great advice. We’ve been surveying consumers on their privacy concerns for a couple of weeks and so far “cameras” are #2, right behind “microphones.” To take the survey or see complete results, go here: http://iotsecuritylab.com/iot-smart-device-privacy-poll/

  5. Ah yes. Good tips all of them. Truly, privacy is so over. Surveillance and the threat of it are the new reality. http://overtbrain.com/2014/10/07/privacy-is-over-surveillance-is-the-new-reality/

  6. mjmsprt40 says:

    There’s a cheap solution for the camera anyway.
    Go to the hardware store, buy a roll of plastic electrical tape. I use black tape, but any solid color will do. Cut off three or four inches of this tape, place that over the camera lens. Done.

    A friend informs me the same trick will work to some degree at least for the microphones, since these tend to be low-quality mics in the first place. The tape will at the very least garble the sound so the mic doesn’t have a clear pick-up.

    To use these devices — for example, when you want to make a You-Tube video– just remove the tape, then replace the tape when you’re done.

    007 gets defeated on the cheap– who woulda guessed?

  7. Cal says:

    You should not rely on webcams to keep an eye on your kids. Helicoptering much?!

  8. Reblogged this on ERecycle.

Leave a Reply