“This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera password.”
A nightmare from the Internet of Things has arrived just in time for Christmas: images from thousands of internet-connected cameras from all over the world are publicly available, online, and ready for anyone to easily view. In September, MailOnline reported about an unspecified website that allows ‘home hackers’ to spy on people through internet-connected cameras. About a week ago, Motherboard‘s Joseph Cox also reported on the website without explicitly mentioning the website’s URL in his article. However, by linking to a WHOIS-record of the website’s domain name, Cox gave away the website’s URL. Many Dutch media are now reporting about the website and mention the website’s URL: insecam.com.
From pictures of backyards to schoolyards, detention centres to daycare centers, and even living rooms, you can watch them all on insecam.com. After browsing the website for a while, I saw many pictures of recognizable people having a coffee or working at their office. Below are some less-intrusive examples that hopefully still illustrate the magnitude of the privacy problems at issue.
The website offers thousands of streams of internet-connected cameras that have not had their default username and password changed. These default login details usually can be found in security camera manuals that are often also available online. Because there are apparently thousands of users of cameras who did not change these login details, it was only a matter of time until one website aggregated these cameras for everyone else to tune into.
“These cameras are not hacked. Owners of these cameras use default password by unknown reason. There are a lot of ways to search such cameras in internet using google, search software or specialised search sites.”
The website’s goal is to underline the importance of changing default usernames and passwords:
Signalling security flaws is important. But using those flaws to break through security and infringe the privacy rights of others is less compassionate. Moreover, trying to get access to a computer system by guessing usernames and passwords could be considered an act of hacking in certain jurisdictions. The creators of insecam.com should not be taken seriously when they argue that they want to increase awareness about security settings through the destruction of privacy.
Another concern is that the person whose life is portrayed on the security camera’s images is not necessarily the person who set up the camera. Should the privacy of kids playing at their daycare center be infringed just because an IT worker forgot to change the password? Ignorance to the Internet of Things lets that happen.
The design of internet-conected security cameras could use a simple change: As long as these cameras are sold to consumers (and installers) with little background in IT, let alone robust network security, the target for effective action should be the manufacturers of security cameras. What’s easier than a design a fix that requires users to change any new camera’s login details before it can connect to the internet? Plug & Secure; Then play.
COO Chase Rhymes of camera manufacturer Foscom has told Joseph Cox that Foscom already require their users to change the password during the setup process. Rhymes: “For cameras already being used, he claimed that an update was released that would force users to change the password. The company also claimed to have contacted customers and retailers by email.”
Linksys, also an camera manufacturer, heard of the website through Joseph Cox. The company is “still trying to determine which Linksys IP cameras are referenced on the site,” but it believes they are old, out-of-production models. Linksys’ newer cameras display a warning to users who have not changed their default log in details.
Clearly not all Foscam users installed the update. Part of the reason for that could be Foscom’s inability to reach out to all its customers. The fact that Linksys no longer sells camera’s that do not require to change the password isn’t very satisfactory either. How about remotely applied updates for your new products? Consumer trust is key to making the Internet of Things a success. It’s well time these and other manufacturers of internet-connected products start building a safer Internet of Things.