Slashdot Mirror

← Back to Stories (view on slashdot.org)

Website Peeps Into 73,000 Unsecured Security Cameras Via Default Passwords

Posted by Soulskill on from the security-through-insecurity dept.

colinneagle writes: After coming across a Russian website that streams video from unsecured video cameras that employ default usernames and passwords (the site claims it's doing it to raise awareness of privacy risks), a blogger used the information available to try to contact the people who were unwittingly streamed on the site. It didn't go well. The owner of a pizza restaurant, for example, cursed her out over the phone and accused her of "hacking" the cameras herself. And whoever (finally) answered the phone at a military building whose cameras were streaming on the site told her to "call the Pentagon."

The most common location of the cameras was the U.S., but many others were accessed from South Korea, China, Mexico, the UK, Italy, and France, among others. Some are from businesses, and some are from personal residences. Particularly alarming was the number of camera feeds of sleeping babies, which people often set up to protect them, but, being unaware of the risks, don't change the username or password from the default options that came with the cameras.

It's not the first time this kind of issue has come to light. In September 2013, the FTC cracked down on TRENDnet after its unsecured cameras were found to be accessible online. But the Russian site accesses cameras from several manufacturers, raising some new questions — why are strong passwords not required for these cameras? And, once this becomes mandatory, what can be done about the millions of unsecured cameras that remain live in peoples' homes?

23 of 321 comments (clear)

  1. Ethics by iluvcapra · · Score: 4, Insightful

    Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

    --
    Don't blame me, I voted for Baltar.
    1. Re:Ethics by Ichijo · · Score: 5, Interesting

      How would a good person inform the owner that their door is unlocked if the only way is contact them is to walk inside? Or is the correct response to just walk away?

      --
      Any sufficiently unpopular but cohesive argument is indistinguishable from trolling.
    2. Re:Ethics by Anonymous Coward · · Score: 5, Interesting

      That analogy certainly applies to the Russian website that is streaming the videos, but I think the blogger who has discovered this website that is streaming videos from people's homes and then tried to contact the owners is more like someone seeing their neighbors door open, some people that shouldn't be there walking out the door and then peaking in the door and calling out to see if everything is okay or letting them know when they get home that someone was in their house.

    3. Re:Ethics by arth1 · · Score: 4, Insightful

      Just because a door is unlocked does not mean you may walk inside, even if it is to tell the owner their door is unlocked.

      No, but it also doesn't mean you're not an idiot for not locking your door.

      Blame is not a limited commodity - you can add blame to the idiots who don't take precautions without removing any blame from those who break in. Point fingers in both directions. The breeches is a cooperation of the idiots and the outers.

      When and why did being an idiot become a right?

    4. Re:Ethics by fahrbot-bot · · Score: 3, Informative

      When and why did being an idiot become a right?

      It's right there in the Declaration of Independence (for people in the US anyway) -- "Life, Liberty and the pursuit of Happiness" -- and ignorance is bliss (or so I've heard...)

      --
      It must have been something you assimilated. . . .
    5. Re:Ethics by mythosaz · · Score: 3, Insightful

      To be fair, the Russian website isn't streaming the videos any more than TPB is hosting copyrighted material.

      The Russian website has a lot of IMBED tags and links, I imagine.

    6. Re:Ethics by JMJimmy · · Score: 3, Informative

      There looks to be 255 'territorial' top level domains ("country code" TLDs) - not all of which are acknowledged as countries in say, the UN.

      That 255 includes:
      1 for European Union
      1 for Antarctica
      2 for Russia
      2 for East Timor
      2 for UK
      yu, .zr, .an, .cs, .dd no longer exist as countries
      a crapload of administrative/dependent territories that are inconsistently applied. ie: Canada's "territories" do not get TLDs but similar entities in other countries do.

    7. Re:Ethics by fahrbot-bot · · Score: 4, Informative

      I know you are joking, but the line was plagiarized/borrowed. The original line was "life, liberty, and the pursuit of property". But It wasn't simply about the right to accumulate a bunch of luxuries; in context, it was referring to the pursuit of things that are somehow relevant to a satisfying and productive life. So it would be the right to pursue home ownership for your family, maybe fields for farming, and for many ./ers, it would be the right to accumulate gadgets, for the musically inclined, the right to procure instruments, etc. It doesn't take much of a stretch to go from this sort of enlightened satisfaction, to calling it merely "happiness" for simplicity.

      Take it from someone who, at 51, is debt-free, has a net-worth of almost $2M, but lost his wife in 2006 after 20 years together, "property" does not make "happiness". Though having "things" might make your pursuit of satisfaction and/or productivity (whatever that means to you) easier, property is a means to an end. Happiness is something you realize from within and, possibly, experience with someone else.

      Even after 20 years together, Sue and I held hands where ever we went - I miss that and nothing else I have can, or could ever, compensate for losing her. Remember Sue...

      The line is better written as, "the pursuit of happiness."

      --
      It must have been something you assimilated. . . .
  2. try telling this to old people by alen · · Score: 4, Interesting

    my father in law went to the at&t store with help on his wifi only ipad. he's totally confused by the need for an itunes store account password, wifi password on his home wifi and wifi passwords at other places

    1. Re:try telling this to old people by Anonymous Coward · · Score: 5, Insightful

      Tell him they're like keys on a keyring. You need a different key to unlock your desk draw even after you've unlocked your house. And when you go to someone else's house, your key doesn't work for them.

  3. People buy stuff without understanding is... by FlyHelicopters · · Score: 4, Informative

    Film at 11...

    The truth is, many people are using technology today without really understanding any of it. Even my own wife is pretty gumby with computers, if I wasn't there to do something about it, I have no doubt they would be full of malware and viruses.

    To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

    Yea, I have to say, I have to clean her machine off of crap every year. Every time I go over there, Internet Explorer has 5 or 6 toolbars installed because she clicks on everything.

    And no, she won't let me restrict and lock down the machine, I've tried that.

    1. Re:People buy stuff without understanding is... by arth1 · · Score: 5, Insightful

      To quote my own Mother, "I don't want to learn all that technical stuff, I just want to use my computer".

      That sounds like "I don't want to learn all that traffic stuff, I just want to drive on the highway."

      It might be better if there were two classes of devices, one run by others for them, and ones you drive yourself. All some people need is the equivalent of public transportation. We don't let people drive cars or fly planes without some basic skills, and while most don't get good at it, at least good enough to not be an instant hazard for everybody else.

       

    2. Re:People buy stuff without understanding is... by Jason+Levine · · Score: 5, Insightful

      Many people look at computers as if they are appliances. You don't need to know how to configure your toaster. You just plug it in and toast your bread. You don't need to edit some config file to make your refrigerator keep your food cold. Any "settings" come in the form of easy-to-read dials or buttons. Turn the dial on the stove and the heat goes on/up. Turn it the other way and it goes off. There's a group of people who expect computers to act like this. Unfortunately, computers are far more complex than any fridge or stove - especially once you go online and you are opened up to all of the security issues that this entails.

      --
      My sci-fi novel, Ghost Thief, is now available from Amazon.com.
    3. Re:People buy stuff without understanding is... by arth1 · · Score: 4, Insightful

      Because you can plow your computer into a sidewalk full of pedestrians. Totally great analogy, that.

      Yes, you can. Your computer can be used as a base for attacking critical infrastructure, because you allowed it to be.
      Or you let someone get to your credit card information so you can't afford medication a week.
      Or your router gets disabled so you can't dial for help through your IP phone.
      Or somone finds classified information on your PC and uses it for nefarious purposes costing lives.
      The possibilities are there. Bits and bites can kill people these days.

  4. Re:Place the blame where it belongs by Imazalil · · Score: 4, Insightful

    But if a large number of users are not able to use their devices properly (ie. secure them) is that not the fault of the device maker? This isn't even about strong passwords, but just default passwords.

    It's a known fact that the general public is not security conscious, and that they do not read through manuals. Shouldn't the makers of these systems work towards making some basic security the default?

    The best, but not very good example is Windows. Microsoft provides lots of guidance on how not to get viruses or malware on Windows. Does that mean they get to wash their hands of anything that infects their user's machines when they open powerpoint slides from uncle Bob? Technically yes, but they do have some duty to make their product more secure because they know full well a large number (the majority) of people will click on any link that lands in their inbox.

  5. Not just cameras by RobinH · · Score: 5, Interesting

    Cameras are a problem, but it's not just cameras anymore. Nest thermostats, for instance, have occupancy sensors and they connect to the internet to work. So your thermostat tells a server on the internet if anyone's home (potentially). Smart meters have similar problems. We recently bought a temperature sensor (AVTECH brand) for our small server closet, and it automatically connected to GoToMyDevices.com as soon as I got it on the network, and started uploading sensor data. There was nowhere in the device's built-in web interface to enable or even disable this "feature". Nothing in the documentation. I looked online and found a forum where it explained that you had to telnet to the device, and at the main menu you had to select a hidden menu item, and then type a command to turn off this feature. It's that kind of absurdity that makes the whole "internet of things" just a house of cards waiting to collapse.

    --
    "I have never let my schooling interfere with my education." - Mark Twain
    1. Re:Not just cameras by Kaenneth · · Score: 3, Insightful

      That's when you return it to the vendor as defective.

      They get away with it because people put up with it.

  6. Re:what's the fucking site? by nukenerd · · Score: 4, Informative

    http://www.insecam.com/

  7. Manufacturers can help make this better by Terry+Pearson · · Score: 3, Informative

    This is because of people who are too lazy or too intimidated by technology to understand it. You buy the camera, many times you open a port on a router, but you fail to change the password. I am not going to blame the manufacturer for that.

    However, manufacturers could make the default a lot more secure by using methods to randomize the default passwords of the cameras. I've setup routers where the default password is printed on a plate on the bottom (next to the mac address and default IP). This gives you a degree of randomness and makes brute force near impossible without physical access to the device. This way, the user still has the freedom to change to a blank password, 'password' as password etc. if they choose to unprotect themselves. But the default becomes reasonably secure.

    This is mostly a problem with users, but sometimes the manufacturer needs to adjust the process to help the intimidated, ignorant, or lazy user along.

    1. Re:Manufacturers can help make this better by phorm · · Score: 3, Interesting

      These days when the local ISP's give out routers, there is a stamp on the router that has the default login, wifi ESSID, and wifi login. You can change these of course, but the defaults are not the same between customers.

      When I setup my firewall, it *WOULDN'T* work until I first set a password. This was the very first step.

      This isn't customers - many who are less tech savvy - being lazy, it's the manufactures. There is absolutely no reason that they can't either package a unique password or simply require the users to create a password before the first use.

  8. Re:Why not strong passwords? by phantomfive · · Score: 4, Informative

    Default, simple or non-existent passwords on consumer appliances have nothing to do with programmers.

    So, I had a wireless router once that would not turn on until I changed the password. It is very much a problem that can be solved by programmers.

    --
    "First they came for the slanderers and i said nothing."
  9. tempest in a teapot by Charliemopps · · Score: 3, Insightful

    So... some random person somewhere... can see my sleeping baby. But they have no idea where that baby is other than the last hop out of my ISP so they might know I'm somewhere in Atlanta... or whatever. Maybe if they stared at the feed 24/7 for years I might drop my water bill in the crib before I picked the baby up so they could get my address or something... But ok, so they can see a video feed of my sleeping baby? So what?

    Short of a camera pointed directly at my bed, or my toilet, I don't see how this would be that god awful. First, I'd never point a camera at my bed. Any camera. Second, someone seeing pictures of me walking around my pizza restaurant? With no address and no idea who I am or where my restaurant is? So what?!?! There are plenty of horribly invasive privacy problems out there. This isn't one of them.

  10. Time sink ... by CaptainDork · · Score: 3, Informative

    ... after an hour of poking around. Nothing to see.

    --
    It little behooves the best of us to comment on the rest of us.