Pinterest Stumbleupon Whatsapp
Ads by Google

Reports broke earlier this month about a website that was live streaming footage from more than 70,000 Internet connected security cameras. In the past few days, the media reports have gotten hysterical with the Daily Mail reporting — and I use that word loosely — that Russians spy on UK families via their webcams. This particular website has now been removed but the security threat is not gone.

I’ve looked into it, talked to a security expert and worked out some of how the supposed hack occurred.

Were The Cameras Hacked?

All the cameras on the website were broadcasting their feed online because they were designed to do so. The three main manufacturers represented on the site were Foscam, Linksys and Panasonic. They all produce cameras like this model from Linksys that send video to your computer over your local network, or critically, over the Internet so you can access the feed from anywhere.

Kevin Sheldrake, an information security consultant and friend of mine, explained that, “It doesn’t look like the cameras were actually hacked in the traditional sense. It looks like they just used default credentials, or no credentials, to access camera feeds that were found through Google.”

Google Hacking

According to the site’s now-removed FAQ the cameras were found with what Kev calls “Google hacking”. Many of the effected cameras’ webpages include things like “live feed” and the camera model in the title tag. By using advanced search operators How To Make Good Use Of Google's Search Operators How To Make Good Use Of Google's Search Operators With operators, you're able to display results that pertain only to certain websites, search through a range of numbers, or even completely exclude a word from your results. When you master the use of Google's... Read More such as intitle: it’s possible to find all of these pages that have been indexed by Google.

google

Ads by Google

The webpages these cameras set up are, in theory, private. They aren’t explicitly delisted from Google but in general they aren’t meant to be found. Google finds sites by following links How Do Search Engines Work? How Do Search Engines Work? To many people, Google IS the internet. It's arguably the most important invention since the Internet itself. And while search engines have changed a lot since, the underlying principles are still the same. Read More . If Google can’t find links to a site it can’t index it. All the affected camera’s webpages ended up on Google. This means, that for some reason, there is a link somewhere on the Internet pointed to the camera’s webpage.

I investigated the webpage of one of the affected cameras, which was situated in a photography shop and accessed via a backlink on the shop’s website – how it ended up on Google. The story for all the other cameras will be similar.

How The Cameras Were Accessed

Even if the camera’s webpage is listed on Google, it shouldn’t be an issue. The feed is normally password protected. It only becomes a problem if the camera user hasn’t changed the password from the manufacturer set default, or even worse, left it entirely unsecured. This is what happened with all the effected cameras.

The default passwords for most cameras are publicly available on the manufacturers website. You can find a specific model of camera using Google hacking and then look up it’s default password. If it hasn’t been changed, or a password hasn’t been set, you’re in.

Why This Is Still A Problem

The website that had everyone panicked automated the process of finding camera webpages and then trying the default password. If it worked, it scraped the feed and added it to the website. If it didn’t, the webpage was ignored.

73000 feeds were found using this process.

Although the site has been taken down, the problem remains. The site was just an aggregator. All the affected cameras’ webpages are still online, essentially unprotected. Anyone with a bit of knowledge of Google can do the exact same process manually. The fact the site is gone only makes it marginally harder.

security

Even worse, Kev explained that, “Historically, these kind of Internet cameras have been plagued by multiple classic security vulnerabilities, such as poor user authentication and code injection through the web interface. They also usually fail to use modern linux/unix security models, meaning that one code injection vulnerability causes the entire camera to be controlled by the attacker. Once an attacker controls your camera, they can use it as a jump off point to attack everything else on your network.” That is a serious vulnerability.

Securing Your Camera

There’s no easy way to tell if your camera is affected. The best thing to do is assume that it is and take steps to secure it. There are two things you need to do: try to prevent it from appearing in Google search results and protect it with a secure password.

It’s possible to remove a webpage from Google but you need to be able to have access to the HTML code. This doesn’t appear to be possible with the majority of the cameras. Instead, make sure that Google never finds your camera’s webpage.

Use the following list of “Five Don’ts” to keep your Internet-enabled security camera secure:

  1. Don’t ever share the link to camera’s webpage on the open web.
  2. Don’t link to or embed it on your website.
  3. Don’t post it on your Facebook page.
  4. Don’t share it on Twitter.
  5. Especially, don’t link to it on Google+. As long as the camera’s webpage is never indexed by Google, it won’t show up in search results no matter what advanced tricks are used.

Additionally, change the password from the default to something long and secure. At MakeUseOf we’ve told you about a couple of ways you can make secure, memorable passwords 7 Ways To Make Up Passwords That Are Both Secure & Memorable 7 Ways To Make Up Passwords That Are Both Secure & Memorable Having a different password for each service is a must in today's online world, but there's a terrible weakness to randomly generated passwords: it's impossible to remember them all. But how can you possibly remember... Read More . Use one of them and make the password as long as possible. This way, even if Google does index the webpage, accessing the camera requires significant effort.

Finally, think whether you need to be able to access your camera from anywhere. If you don’t, turn off the webpage in your camera’s settings.

Have you been effected by this, or any similar, “hack”? Please share your story in the comments.

  1. C B
    November 27, 2014 at 5:52 pm

    This has been a big problem lately. Security cams being streamed online is extremely creepy and will hopefully be resolved as soon as superior automatic firewall protection is implemented by retail consumers over the near three to five years. http://learndebt.com

  2. bben
    November 27, 2014 at 2:14 pm

    Most of this is very good advice, especially if your camera is inside the house. I have an 8 camera system - my yard is well covered by video. If someone does manage to crack my custom password they will see a fairly boring 24/7 stream of the mundane goings on in my rural yard. As recording is motion triggered, there are a lot of gaps in the recording. The cat coming and going, friends & relatives stopping by, my car backing out of and going into the garage, the occasional deer and other wildlife that wander across my yard, neighborhood kids using my corner lot as a short cut - and mostly spider webs and trees being blown by the wind triggering the motion sensor. I had a great recording of a large spider that made a web directly in front of one camera. The sensitivity is set low enough that most birds flying across don't trigger it. I imagine most of these feeds are just as mundane and boring to the voyeurs that are hoping to see some young woman stripping in front of a home video camera.

    • Harry
      November 29, 2014 at 8:00 pm

      Hey bben. Yep, there was nothing of note in the feeds I saw when researching for this article. People do get too caught up in privacy scandals sometimes, especially if what is revealed is really not that important.

  3. dragonmouth
    November 27, 2014 at 12:21 am

    And how many other Internet-enabled devices are there that can be exploited in a similar manner?

    Maybe users who want to set up a Smart Home should have to pass an intelligence test before they are allowed to proceed?

    Maybe people who think that two sharpened sticks are an example of high tech should not be allowed anywhere near Internet-enabled devices.

    • Harry
      November 29, 2014 at 7:58 pm

      According to Kev pretty much anything. Especially one's that are based off Linux/Unix stuff because the vulnerabilities are documented. Custom software is generally crap and can be hacked but it takes a bit of work.

  4. Roger Caldwell
    November 26, 2014 at 8:34 pm

    Yep, not hacked at all! Just irresponsible people leaving the default password/username in place. SHAME ON THEM!!! They need to quit whining and STFU.

    • Harry
      November 29, 2014 at 7:56 pm

      Yep! So much of good security is just being a little better than everyone else.

Leave a Reply

Your email address will not be published. Required fields are marked *