November 21, 2014

Who is to blame for “hacked” private cameras?

News Security

Recent news about “hacked webcams,” “breached baby monitors” and even a “Russian website monitoring British citizens appears to be all over the place. Judging by comments from all of the affected parties, the situation is indeed serious. Why is that?


For starters, everyone from users to officials and webcam manufacturers is blaming each other instead of trying to find a solution to the problem. Ultimately, one major take away from this story is that if you own a device that is connected to the Internet, you should certainly follow security news. Otherwise, your private life may, at some point, surface online and you won’t even know about it.

So what happened?

Say you buy a webcam. Not a common one with a USB port that plugs into your computer, but a fancy wireless camera that streams video and allows you to observe your baby, your car in a garage or a sidewalk near your home, from another room, another town or even another country. You plug it in, follow the simple steps outlined in that “Quick launch” leaflet and it works just like that! It is a brilliant piece of technology and a true example of the modern digital world.

Not exactly. The problem lies in the “it works just like that” part. As it turns out, many users, satisfied solely by the fact that the device was operational, did not bother to change the default password or, maybe, did not even know that such a thing was possible or recommended.

A failure to change the password means that everyone who knows the exact address of the camera and the default password (you know, the ‘1234’ type), could access your very private data. So, how could one know the exact address of a camera? One can enter a tricky search term into Google and access links to thousands of cameras online.

It didn’t take long for someone else to set up a website that seeks out unprotected webcams and sorts them by country and region (based on the IP address) for all of the bad guys out there to enjoy. There is even a thread in a limited-access forum where people can discuss the screenshots taken from webcams with the most ‘remarkable’ content. Yikes!

Who is to blame?

Both everyone and no one. First, let’s consider cybercriminals. The people who established the website did not actually hack anything using sophisticated technology. They did not exploit vulnerabilities in a camera’s software or set up a phishing website to steal your private passwords. They simply took advantage of a misconfiguration.

These cybercriminals broke into a device that was not designed with security in mind. One could compare it to taking a wallet that was forgotten in a cafe. The owner of the wallet should not have left it in a public place to begin with. While stealing it is not comparable to breaking into somebody’s home, it is still considered a bad thing to do.

Now let’s consider the users. They failed to change the default password, though it was likely recommended somewhere in the manual (page 57, in small print, or something like that). However, do people really read the manual for a device that “just works”? Webcam manufacturers design them to be as easy to operate as possible. Sometimes they may overlook security issues for the sake of simplicity. If a camera required a user to change the default password before starting to use it (a very simple thing to do), the entire incident would be preventable.

How about the vendors? They tend to blame “hackers” and their own clients that fail to change a default password. Our choice is to side with consumers. We believe that everything with an internet connection should be designed with security in mind. We also believe that the vendors should explain security, in the simplest terms possible, to their clients and do their best to secure their clients’ private lives.

Welcome to the amazing world of computers!

In general, we contribute to the incidents that occur because we think of many devices as simple utility gadgets that merely do one or two simple tasks (like stream videos or provide WiFi access).

In reality, it is way more complicated than that. Many cameras, home routers, smart TVs, set-top boxes and music players are actually real computers capable of doing a lot more than they usually do. Actually, most of them tend to have these capabilities because manufacturers use standard, general-purpose hardware and software, as it is the cheapest method. Your home router provides WiFi, but it is powerful and sophisticated enough to control a space vehicle. That is what cybercriminals take advantage of.


Since not all providers of hardware, software and web services are thinking enough about security, we have to take care of it ourselves. There are two ways to do so. The first way is to learn about computers, software, programming, networks, analyzing vulnerabilities and communication protocols, and modify your own system to be protected from all kinds of threats.

The second way is to rely on professionals. For computers, smartphones and tablets this is not a problem (take a look at Kaspersky Internet Security). However, devices such as webcams, routers and smart TVs are very diverse and deliberately closed by vendors for external reviews, making it nearly impossible to come up with a single security solution. So read the manual and call your IT guy to take care of security settings (but type the passwords yourself).

To learn more about similar “hacks”, take a look at this brilliant research by Kaspersky Lab’s expert, David Jacoby, titled “How I hacked my home.”

There is good news. Two days after the news broke, the website in question was shut down. But the bad news is that before the shut down, it was operational for at least six months. Even worse news: the misconfiguration that made the whole thing possible was revealed on one Russian technology website as early as August 2013 (not to mention that real cybercriminals could have used it long before that).

The fact that the website is gone does not mean that the affected cameras are secure. One could still find and access them using simple tools like a Google search. The only definite solution is to change the webcam default password. The devices produced by at least one manufacturer (Foscam) are known to be affected.