Russian webcam-spying site highlights common security failing

A Russian website collecting images from internet-connected cameras highlights a common security failing, say security professionals

A Russian website collecting streaming images from internet-connected cameras in the UK and more than 200 other countries highlights a common security failing, say information security professionals.

The website, which provides 500 feeds from the UK alone, streams images from webcams and CCTV systems using either default passwords or no passwords at all.

Information security professionals at the GovNet Cyber Security Summit 2014 in London said the issue is well known in the industry, particularly relating to devices such as webcams.

However, the issue also affects thousands of other internet-connected devices commonly used in the enterprise, such as routers and network-attached storage devices.

Exposed devices are easy to find using internet search engines or websites like Shodan, which publish an index of internet-exposed devices, said security consultant at MWR InfoSecurity Guillermo Lafuente.

“If any devices discovered on Shodan or search engines were configured with default credentials, then it would be straightforward for an attacker to compromise that device,” he said.

More on the internet of things

  • Act now on IoT security, says Beecham Research
  • UK government backs consortium's search for IOT standard
  • What will IoT technology mean to analytics?
  • Supporting IoT devices requires careful WLAN design
  • Top hardware firms join forces on IoT standards
  • How connected cars, IoT devices will drive enterprises
  • Specialised networks key part of IoT migration
  • IoT's supply chain benefits becoming clearer
  • Gartner highlights IoT security, security vs. compliance conflict
  • Intel's new lab in Swindon to fuel IoT projects

Lafuente advised users of webcams and other internet-connected devices to ensure they always have the latest software updates and frequently change their passwords.

The issue was highlighted in May 2014 by a team of researchers from Context Information Security who found more than 200 accessible internet protocol (IP) cameras in the London area.

“We have been seeing this issue for at least the past three years,” said David Bryan, a security tester at Trustwave.

In one security test for a company, Bryan found a default password was being used to access a webcam that was pointed directly at the safe in the manager’s office.

The use of default or weak passwords is regularly highlighted by security researchers and testers as a way attackers use to access a wide variety of enterprise systems and appliances.

“Developers are also pressured to roll out devices to market quickly and cheaply – leaving little room, if any, to perform security scanning and testing during the development stage,” said Bryan.

Older versions vulnerable

The makers of one of the camera types hijacked by the Russian website told the BBC only older versions were vulnerable.

Foscam said software for newer versions of its camera forces users to choose a new password to replace the default password before the device can be accessed.

Although this solves the problem of using default passwords which can be easily found by attackers, it does not address the issue of weak passwords.

According to the 2014 Trustwave Global Security Report, weak passwords led to an initial intrusion in 31% of compromises analysed by the firm in the past year.

Trustwave analysed more than 625,000 password hashes and found 54% were cracked in just a couple of minutes and 92% in 31 days.  

Trustwave found the most commonly used password was Password1.

“Although this password is easily guessable and is in password dictionaries used for cracking, Password1 satisfies most password policy requirements. It is longer than eight characters and includes an uppercase letter and a numeral,” said Bryan.

Hugh Boyes of the Institution of Engineering and Technology (IET) said it is common practice for many networked products to have no password set or use a well-known default password when installed.

“To protect their security and privacy users need to ensure these devices are correctly set up and where applicable new passwords or PINs are set,” said Boyes.

He said basic cyber hygiene like this helps protect the security and privacy of children, and it is particularly important where webcams are installed in bedrooms or other private spaces.

“As more consumer devices are networked as part of the emerging internet of things (IoT), this issue will become more pressing,” said Boyes.

Users need to follow good password practices

Highlighting the issue of default or weak passwords as a serious risk to privacy, the Information Commissioner’s Office (ICO) has urged users of webcams to ensure they are following good password practices.

The ICO said the threat is significant, with 350,000 webcams sold in the UK in the past year alone, and more than 500 UK video streams appearing on the Russian spying website.

“This is a threat all of us need to be aware of and be taking action to protect against,” said ICO group manager for technology Simon Rice.

“Default passwords many manufacturers use are freely available online so make sure you get it changed. If the device doesn’t have a password, then, as a bare minimum, you should set one up,” he said.

Rice also advised webcam users to take time to read the manual to find out what security options are available.

Hacking into a device’s camera offers those with malicious intent access to our images, our most intimate moments, our identities – and the people we want to protect most, such as our children

David Emm, Kaspersky Lab

“The ability to access footage remotely is both an internet camera's biggest selling point and, if not set up correctly, potentially its biggest security weakness,” he said.

Rice said users should consider what measures they have in place to ensure no-one else is able to access their webcam feeds.

“If you have a camera in your home and have no intention of viewing the footage over the internet, then the best thing to do is to go into the device’s security settings and see if you can turn the remote viewing option off,” he said.

Rice warned webcams are not the only devices that hackers may be able to access remotely, and urged users of cloud-based services to ensure they are using all the security services available, such as two-factor authentication.

Shutting down spying website

The ICO said it would work with the Russian authorities and others to have the spying website shut down.

The ICO is also working with other global data protection and privacy authorities on collaborative action connected to the website showing unsecure webcam images, while advising people on the steps they can take to protect their information

Principal security researcher at Kaspersky Lab David Emm said the issue also affects mobile devices.

“Our research shows that most people are unaware cyber criminals can use malicious software to take over the camera and microphone of mobile devices,” he said.

Emm said people see mobile devices as their window on the world, but they do not realise they can also be a window on their lives for cyber criminals.

“Hacking into a device’s camera offers those with malicious intent access to our images, our most intimate moments, our identities – and the people we want to protect most, such as our children,” he said.

Emm said all users of mobile devices should ensure they are fully protected with security software.

“Cyber attacks aimed at mobile devices are increasing rapidly and it’s no longer just our laptops and desktop PCs that need protecting,” he said.

Read more on Privacy and data protection