Slashdot Mirror

← Back to Stories (view on slashdot.org)

Website Peeps Into 73,000 Unsecured Security Cameras Via Default Passwords

Posted by Soulskill on from the security-through-insecurity dept.

colinneagle writes: After coming across a Russian website that streams video from unsecured video cameras that employ default usernames and passwords (the site claims it's doing it to raise awareness of privacy risks), a blogger used the information available to try to contact the people who were unwittingly streamed on the site. It didn't go well. The owner of a pizza restaurant, for example, cursed her out over the phone and accused her of "hacking" the cameras herself. And whoever (finally) answered the phone at a military building whose cameras were streaming on the site told her to "call the Pentagon."

The most common location of the cameras was the U.S., but many others were accessed from South Korea, China, Mexico, the UK, Italy, and France, among others. Some are from businesses, and some are from personal residences. Particularly alarming was the number of camera feeds of sleeping babies, which people often set up to protect them, but, being unaware of the risks, don't change the username or password from the default options that came with the cameras.

It's not the first time this kind of issue has come to light. In September 2013, the FTC cracked down on TRENDnet after its unsecured cameras were found to be accessible online. But the Russian site accesses cameras from several manufacturers, raising some new questions — why are strong passwords not required for these cameras? And, once this becomes mandatory, what can be done about the millions of unsecured cameras that remain live in peoples' homes?

13 of 321 comments (clear)

  1. Ethics by iluvcapra · · Score: 4, Insightful

    Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

    --
    Don't blame me, I voted for Baltar.
    1. Re:Ethics by Anonymous Coward · · Score: 2, Insightful

      Samaritan says "hi subject #82644266222".

      WHAT?! You don't seriously want the world's AIs to learn about the world solely from 4Chan and wikipedia, do you? Yootoob user comments are probably what finally convinced skynet to off Mankind.


      Like the issue with automated license plate readers, this is another case where something is of little concern when it has to be done manually, one item at a time. But when you automate the process and can grab data on everyone with a click of a button, then you should start getting nervous.

    2. Re:Ethics by arth1 · · Score: 4, Insightful

      Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

      No, but it also doesn't mean you're not an idiot for not locking your door.

      Blame is not a limited commodity - you can add blame to the idiots who don't take precautions without removing any blame from those who break in. Point fingers in both directions. The breeches is a cooperation of the idiots and the outers.

      When and why did being an idiot become a right?

    3. Re:Ethics by mythosaz · · Score: 3, Insightful

      To be fair, the Russian website isn't streaming the videos any more than TPB is hosting copyrighted material.

      The Russian website has a lot of IMBED tags and links, I imagine.

    4. Re:Ethics by JMJimmy · · Score: 1, Insightful

      A camera is not a private residence. Aside from legitimate cams intended to broadcast publicly, going inside a public or commercial building where a door is unlocked or the entry code is publicly known is completely legal and legitimate. In the case of cameras you don't know what it is until you enter, until then it's reasonable to assume it's a public/commercial camera. Once you learn what it is you should exit if it's reasonable for them to expect privacy and alert someone if it's intended to be secure/secret.

      One thing I question - 73,011 cams in 256 countries? There are only 190-200... even counting random psudo countries I don't think there are 256...

  2. Re:People buy stuff without understanding is... by arth1 · · Score: 5, Insightful

    To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

    That sounds like "I don't want to learn all that traffic stuff, I just want to drive on the highway."

    It might be better if there were two classes of devices, one run by others for them, and ones you drive yourself. All some people need is the equivalent of public transportation. We don't let people drive cars or fly planes without some basic skills, and while most don't get good at it, at least good enough to not be an instant hazard for everybody else.

     

  3. Re:People buy stuff without understanding is... by Jason+Levine · · Score: 5, Insightful

    Many people look at computers as if they are appliances. You don't need to know how to configure your toaster. You just plug it in and toast your bread. You don't need to edit some config file to make your refrigerator keep your food cold. Any "settings" come in the form of easy-to-read dials or buttons. Turn the dial on the stove and the heat goes on/up. Turn it the other way and it goes off. There's a group of people who expect computers to act like this. Unfortunately, computers are far more complex than any fridge or stove - especially once you go online and you are opened up to all of the security issues that this entails.

    --
    My sci-fi novel, Ghost Thief, is now available from Amazon.com.
  4. Re:try telling this to old people by Anonymous Coward · · Score: 5, Insightful

    Tell him they're like keys on a keyring. You need a different key to unlock your desk draw even after you've unlocked your house. And when you go to someone else's house, your key doesn't work for them.

  5. Re:Place the blame where it belongs by Imazalil · · Score: 4, Insightful

    But if a large number of users are not able to use their devices properly (ie. secure them) is that not the fault of the device maker? This isn't even about strong passwords, but just default passwords.

    It's a known fact that the general public is not security conscious, and that they do not read through manuals. Shouldn't the makers of these systems work towards making some basic security the default?

    The best, but not very good example is Windows. Microsoft provides lots of guidance on how not to get viruses or malware on Windows. Does that mean they get to wash their hands of anything that infects their user's machines when they open powerpoint slides from uncle Bob? Technically yes, but they do have some duty to make their product more secure because they know full well a large number (the majority) of people will click on any link that lands in their inbox.

  6. Re:People buy stuff without understanding is... by arth1 · · Score: 4, Insightful

    Because you can plow your computer into a sidewalk full of pedestrians. Totally great analogy, that.

    Yes, you can. Your computer can be used as a base for attacking critical infrastructure, because you allowed it to be.
    Or you let someone get to your credit card information so you can't afford medication a week.
    Or your router gets disabled so you can't dial for help through your IP phone.
    Or somone finds classified information on your PC and uses it for nefarious purposes costing lives.
    The possibilities are there. Bits and bites can kill people these days.

  7. Re:Not just cameras by Kaenneth · · Score: 3, Insightful

    That's when you return it to the vendor as defective.

    They get away with it because people put up with it.

  8. tempest in a teapot by Charliemopps · · Score: 3, Insightful

    So... some random person somewhere... can see my sleeping baby. But they have no idea where that baby is other than the last hop out of my ISP so they might know I'm somewhere in Atlanta... or whatever. Maybe if they stared at the feed 24/7 for years I might drop my water bill in the crib before I picked the baby up so they could get my address or something... But ok, so they can see a video feed of my sleeping baby? So what?

    Short of a camera pointed directly at my bed, or my toilet, I don't see how this would be that god awful. First, I'd never point a camera at my bed. Any camera. Second, someone seeing pictures of me walking around my pizza restaurant? With no address and no idea who I am or where my restaurant is? So what?!?! There are plenty of horribly invasive privacy problems out there. This isn't one of them.

    1. Re:tempest in a teapot by Anonymous Coward · · Score: 2, Insightful

      So... some random person somewhere... can see my sleeping baby. But they have no idea where that baby is other than the last hop out of my ISP so they might know I'm somewhere in Atlanta... or whatever. Maybe if they stared at the feed 24/7 for years I might drop my water bill in the crib before I picked the baby up so they could get my address or something... But ok, so they can see a video feed of my sleeping baby? So what?

      Short of a camera pointed directly at my bed, or my toilet, I don't see how this would be that god awful. First, I'd never point a camera at my bed. Any camera. Second, someone seeing pictures of me walking around my pizza restaurant? With no address and no idea who I am or where my restaurant is? So what?!?! There are plenty of horribly invasive privacy problems out there. This isn't one of them.

      Actually it doesn't take a lot of legwork. The default credentials to your cam will probably let me see what the Wifi SSID and password is... And what your neighbors SSIDs are too. Thats one more piece (and some services are nice enough to let me geolocate based on a SSID/mac). If you have a poorly secured (the default) residential gateway (many cable/dsl providers give these out for free and you get what you pay for when it comes to security) I can probably find out the names of all the PCs on your network. Do you or someone you love own an HP, that oh so helpfully named itself after the full name you entered when you set up Windows? Oops! Now I know your name. A quick stop to some other helpful sites on the internet (public records) will fill in the rest.

      You laugh, but I have successfully used this trick several times, it takes about 5 minutes of digging using freely available tools and a little brainpower, to start coming up with tons of info about a location in my city like resident names, address, list of household networked equipment, cams, phone presence (so i can be sure to stop by when i know no phones are home, i.e. no people are home) and the like. I wish I were exaggerating. To be fair, none of it is any more harmful than seeing a nice living room full of expensive toys through open curtains, but with the power of the internet I can troll thousands of houses (all within a few miles of me) with a few clicks and pick out exactly which kind of TV I want to steal.