Reports broke earlier this month about a website that was live streaming footage from more than 70,000 Internet connected security cameras. In the past few days, the media reports have gotten hysterical with the Daily Mail reporting — and I use that word loosely — that Russians spy on UK families via their webcams. This particular website has now been removed but the security threat is not gone.
I’ve looked into it, talked to a security expert and worked out some of how the supposed hack occurred.
Were The Cameras Hacked?
All the cameras on the website were broadcasting their feed online because they were designed to do so. The three main manufacturers represented on the site were Foscam, Linksys and Panasonic. They all produce cameras like this model from Linksys that send video to your computer over your local network, or critically, over the Internet so you can access the feed from anywhere.
Kevin Sheldrake, an information security consultant and friend of mine, explained that, “It doesn’t look like the cameras were actually hacked in the traditional sense. It looks like they just used default credentials, or no credentials, to access camera feeds that were found through Google.”
According to the site’s now-removed FAQ the cameras were found with what Kev calls “Google hacking”. Many of the effected cameras’ webpages include things like “live feed” and the camera model in the title tag. By using advanced search operators such as intitle: it’s possible to find all of these pages that have been indexed by Google.
The webpages these cameras set up are, in theory, private. They aren’t explicitly delisted from Google but in general they aren’t meant to be found. Google finds sites by following links. If Google can’t find links to a site it can’t index it. All the affected camera’s webpages ended up on Google. This means, that for some reason, there is a link somewhere on the Internet pointed to the camera’s webpage.
I investigated the webpage of one of the affected cameras, which was situated in a photography shop and accessed via a backlink on the shop’s website – how it ended up on Google. The story for all the other cameras will be similar.
How The Cameras Were Accessed
Even if the camera’s webpage is listed on Google, it shouldn’t be an issue. The feed is normally password protected. It only becomes a problem if the camera user hasn’t changed the password from the manufacturer set default, or even worse, left it entirely unsecured. This is what happened with all the effected cameras.
The default passwords for most cameras are publicly available on the manufacturers website. You can find a specific model of camera using Google hacking and then look up it’s default password. If it hasn’t been changed, or a password hasn’t been set, you’re in.
Why This Is Still A Problem
The website that had everyone panicked automated the process of finding camera webpages and then trying the default password. If it worked, it scraped the feed and added it to the website. If it didn’t, the webpage was ignored.
73000 feeds were found using this process.
Although the site has been taken down, the problem remains. The site was just an aggregator. All the affected cameras’ webpages are still online, essentially unprotected. Anyone with a bit of knowledge of Google can do the exact same process manually. The fact the site is gone only makes it marginally harder.
Even worse, Kev explained that, “Historically, these kind of Internet cameras have been plagued by multiple classic security vulnerabilities, such as poor user authentication and code injection through the web interface. They also usually fail to use modern linux/unix security models, meaning that one code injection vulnerability causes the entire camera to be controlled by the attacker. Once an attacker controls your camera, they can use it as a jump off point to attack everything else on your network.” That is a serious vulnerability.
Securing Your Camera
There’s no easy way to tell if your camera is affected. The best thing to do is assume that it is and take steps to secure it. There are two things you need to do: try to prevent it from appearing in Google search results and protect it with a secure password.
It’s possible to remove a webpage from Google but you need to be able to have access to the HTML code. This doesn’t appear to be possible with the majority of the cameras. Instead, make sure that Google never finds your camera’s webpage.
Use the following list of “Five Don’ts” to keep your Internet-enabled security camera secure:
- Don’t ever share the link to camera’s webpage on the open web.
- Don’t link to or embed it on your website.
- Don’t post it on your Facebook page.
- Don’t share it on Twitter.
- Especially, don’t link to it on Google+. As long as the camera’s webpage is never indexed by Google, it won’t show up in search results no matter what advanced tricks are used.
Additionally, change the password from the default to something long and secure. At MakeUseOf we’ve told you about a couple of ways you can make secure, memorable passwords. Use one of them and make the password as long as possible. This way, even if Google does index the webpage, accessing the camera requires significant effort.
Finally, think whether you need to be able to access your camera from anywhere. If you don’t, turn off the webpage in your camera’s settings.
Have you been effected by this, or any similar, “hack”? Please share your story in the comments.