{"id":4317,"date":"2014-11-21T11:00:38","date_gmt":"2014-11-21T16:00:38","guid":{"rendered":"http:\/\/me-en.kaspersky.com\/blog\/?p=4317"},"modified":"2020-02-26T18:59:19","modified_gmt":"2020-02-26T14:59:19","slug":"massive-webcam-breach","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/massive-webcam-breach\/4317\/","title":{"rendered":"Who is to blame for “hacked” private cameras?"},"content":{"rendered":"

Recent news about \u201chacked webcams,\u201d \u201cbreached baby monitors\u201d and even a \u201cRussian website monitoring British citizens appears to be all<\/a> over<\/a> the place<\/a>. Judging by comments from all of the affected parties, the situation is indeed serious. Why is that?<\/p>\n

\"eye_SQ\"<\/a><\/p>\n

For starters, everyone from users to officials and webcam manufacturers is blaming each other instead of trying to find a solution to the problem. Ultimately, one major take away from this story is that if you own a device that is connected to the Internet, you should certainly follow security news. Otherwise, your private life may, at some point, surface online and you won\u2019t even know about it.<\/p>\n

So what happened?<\/h3>\n

Say you buy a webcam. Not a common one with a USB port that plugs into your computer, but a fancy wireless camera that streams video and allows you to observe your baby, your car in a garage or a sidewalk near your home, from another room, another town or even another country. You plug it in, follow the simple steps outlined in that \u201cQuick launch\u201d leaflet and it works just like that! It is a brilliant piece of technology and a true example of the modern digital world.<\/p>\n

Not exactly. The problem lies in the \u201cit works just like that\u201d part. As it turns out, many users, satisfied solely by the fact that the device was operational, did not bother to change the default password or, maybe, did not even know that such a thing was possible or recommended.<\/p>\n

A failure to change the password means that everyone who knows the exact address of the camera and the default password (you know, the \u20181234\u2019 type), could access your very private data. So, how could one know the exact address of a camera? One can enter a tricky search term into Google and access links to thousands of cameras online.<\/p>\n

It didn\u2019t take long for someone else to set up a website that seeks out unprotected webcams and sorts them by country and region (based on the IP address) for all of the bad guys out there to enjoy. There is even a thread in a limited-access forum where people can discuss the screenshots taken from webcams with the most \u2018remarkable\u2019 content. Yikes!<\/p>\n

Who is to blame?<\/h3>\n

Both everyone and no one. First, let\u2019s consider cybercriminals. The people who established the website did not actually hack<\/em> anything using sophisticated technology. They did not exploit vulnerabilities<\/em>\u00a0in a camera\u2019s software or set up a phishing website to steal your private passwords. They simply took advantage of a misconfiguration<\/em>.<\/p>\n

These cybercriminals broke into a device that was not designed with security in mind. One could compare it to taking a wallet that was forgotten in a cafe. The owner of the wallet should not have left it in a public place to begin with. While stealing it is not comparable to breaking into somebody\u2019s home, it is still considered a bad thing to do.<\/p>\n

Now let\u2019s consider the users. They failed to change the default password, though it was likely recommended somewhere in the manual (page 57, in small print, or something like that). However, do people really read the manual for a device that \u201cjust works\u201d? Webcam manufacturers design them to be as easy to operate as possible. Sometimes they may overlook security issues for the sake of simplicity. If a camera required<\/em> a user to change the default password before starting to use it (a very simple thing to do), the entire incident would be preventable.<\/p>\n

How about the vendors? They tend to blame \u201chackers\u201d and their own clients that fail to change a default password. Our choice is to side with consumers. We believe that everything with an internet connection should be designed with security in mind. We also believe that the vendors should explain security, in the simplest terms possible, to their clients and do their best to secure their clients\u2019 private lives.<\/p>\n

Welcome to the amazing world of computers!<\/h3>\n

In general, we contribute to the incidents that occur because we think of many devices as simple utility gadgets that merely do one or two simple tasks (like stream videos or provide WiFi access).<\/p>\n

In reality, it is way more complicated than that. Many cameras, home routers, smart TVs, set-top boxes and music players are actually real computers\u00a0<\/strong>capable of doing a lot more than they usually do. Actually, most of them tend to have these capabilities because manufacturers use standard, general-purpose hardware and software, as it is the cheapest method. Your home router provides WiFi, but it is powerful and sophisticated enough to control a space vehicle. That is what cybercriminals take advantage of.<\/p>\n

If you own a device that is connected to the Internet, you should certainly follow security news.<\/p>Tweet<\/a><\/blockquote>\n

Advice<\/h3>\n

Since not all providers of hardware, software and web services are thinking enough about security, we have to take care of it ourselves. There are two ways to do so. The first way is to learn about computers, software, programming, networks, analyzing vulnerabilities and communication protocols, and modify your own system to be protected from all kinds of threats.<\/p>\n

The second way is to rely on professionals. For computers, smartphones and tablets this is not a problem (take a look at Kaspersky Total Security<\/a>). However, devices such as webcams, routers and smart TVs are very diverse and deliberately closed by vendors for external reviews, making it nearly impossible to come up with a single security solution. So read the manual and call your IT guy to take care of security settings (but type the passwords yourself).<\/p>\n

To learn more about similar \u201chacks\u201d, take a look at this brilliant research by Kaspersky Lab\u2019s expert, David Jacoby, titled\u00a0\u201cHow I hacked my home.\u201d<\/a><\/p>\n

There is good news. Two days after the news broke, the website in question was shut down. But the bad news is that before the shut down, it was operational for at least six months. Even worse news: the misconfiguration that made the whole thing possible was revealed on one Russian technology website as early as August 2013 (not to mention that real cybercriminals could have used it long before that).<\/p>\n

\n

BBC News \u2013 Breached webcam and baby monitor site flagged by watchdogs http:\/\/t.co\/YnICwbMzvm<\/a><\/p>\n

\u2014 Foscam UK (@FoscamUK) November 21, 2014<\/a><\/p><\/blockquote>\n