15,000 webcams vulnerable to attack: how to protect against webcam hacking

15,000 webcams vulnerable to attack: how to protect against webcam hacking

Webcams may have been around for a long time, but that doesn’t mean we know what we’re doing with them. Webcam hacking has been around for equally as long, yet new research from Wizcase indicates that more than 15,000 private, web-connected cameras are exposed and readily accessible to the general public.

So forget hacking, cybercriminals can just take a stroll through the Internet and grab whatever webcam footage they like for the taking.

Malware targeting web cameras is a mainstay of the malicious hacker’s toolkit. Sometimes it’s for profit and blackmail. Often the threat of footage that doesn’t exist is mashed up with old data breaches to force people to part with their money.

Other times, people would hack PCs and reveal shock meme footage on a victim’s desktop, then capture screenshots for posterity, sharing them on hacker forums for giggles and bragging rights.

Mainly, what seems to be happening a lot right now is a whole lot of negligence. People are connecting their cameras to the Internet without any security features enabled. Worse still, many cams don’t have any security features to enable in the first place.

A persistent problem

We’ve spoken at length as to why security features aren’t necessarily advertised front and centre in the instructions of IoT devices. Companies want to seduce buyers with cool tools and amazing features, not ram “SET UP A PASSWORD” down their throats on page one of the instruction booklet. It’s strange, considering how safety and security messaging is typically high priority for other products.

When was the last time you saw a car advertised without some sort of passing mention of seatbelts, or how good the rollcage is, or how many airbags they have, or words like “safety for the whole family”? Epilepsy, violence, and adult language warnings are now a prominent feature of video games, movies, and television. Even social media comes with trigger warnings.

Computer equipment, though? Somehow it seems to run the risk of making the cool toys very uncool indeed. You know what’s definitely worse than security warnings all over the place?

Default configurations exposing your webcam’s stream to the whole world.

Webcam hacking the planet

Researchers from Wizcase discovered the following:

Around 15,000 webcams located in homes, businesses, places of worship, and many more were placed online without additional security measures. Regions spanned the globe, from Argentina and Brazil to the UK and Vietnam. Both adults at work and children presumably at home were all easily viewable after the cams were accessed remotely. This is a clear privacy and security risk, especially in terms of potential damage threatened by phishing, blackmail, sextortion, and more.

The cams offered up problems such as unsecured P2P networking and lack of password authentication on devices with Universal Plug and Play (UPnP) enabled, and easily guessable default login passwords for admin. In situations where consumers expected products to work “out of the box,” this problem was exacerbated by a lack of security knowledge.

In addition, not only were the cam streams accessible, but there were also other areas where admin could be compromised by webcam hacking techniques. Geolocation and potential control of devices was also possible.

Some of the devices looked at in the research include the following:

  • AXIS net cameras
  • Cisco Linksys webcam
  • IP Camera Logo Server
  • IP WebCam
  • IQ Invision web camera
  • Mega-Pixel IP Camera
  • Mobotix
  • WebCamXP 5
  • Yawcam

There’s an astonishing amount of personally identifiable information (PII) up for grabs, then, and in many ways and formats. Screenshots, audio, moving images, things consumers shouldn’t be viewing deep in the heart of a business, things you shouldn’t have access to in a home environment—it’s all there.

 

This certainly isn’t “just” a webcam hacking problem. Harassing toddlers via baby monitors? Sure, those stories come around regularly. Home hubs not locked down as well as they could be? The frankly bizarre sky’s the limit.

Webcam security tips

As with most Internet-connected devices, good security practices will help steer you clear of this danger. Keep your system up to date, along with your chosen selection of security tools, and perform regular scans to keep everything in ship shape condition.

If your cam is a USB connected to a desktop, you can always unplug when not in use.

If the cam is integrated into your laptop, you can turn it off completely via Device Manager.

You should also consider adding a webcam cover to your device if it doesn’t have one already fitted. If you need to cover a cam in a hurry, pretty much anything sticky will do the job. Masking tape is absolutely your friend.

If you’re worried about your conversations being recorded, you can also kill off the microphone should you so desire.

Most webcams should fire up a visible light to let you know when they’re in use. Some devices don’t do this, and so Windows 10 has the option to notify you when something is making use of it.

If you think files are being recorded, they could well be stored on your machine somewhere. It’d be well worth having a look around some common (and not so common) file locations. There’s also plenty of programs out there designed to see what’s eating up space on your hard drive, so you could use one of those to look for common video files or other large-sized files.

Cheap and nasty?

Standalone cams are notorious for not being secured properly. If you have a cheap IoT device in your home watching over your sleeping toddler, or a few handy cams serving as convenient CCTV when you head off to the shops, take heed. It may be that the price for accessing said device on your mobile or tablet is a total lack of security.

Always read the manual and see what type of security the device is shipping with. It may well be that it has passwords and lockdown features galore, but they’re all switched off by default. If the brand is obscure, you’ll still almost certainly find someone, somewhere has already asked for help about it online.

Tuning in to chaos

While this isn’t anything particularly new where webcams and devices in the home are concerned, it’s a timely reminder to be careful about what we invite into our homes. Even the best devices can run into an exploit, and it’s a fact that many webcam devices don’t come anywhere close to being “the best.” Indeed, security researchers run into devices thrown together as cheaply as possible with no thought given to security all the time.

Until security is baked right into these useful yet potentially dangerous tools, and marketing teams realise it’s okay to allow a little drag on the initial user experience to ensure everything is locked down, this will continue to happen.

If you’re unsure about a particular brand, it won’t hurt to have a little dig around online first before purchasing. Pay close attention to security features listed or (more problematically) no security features listed whatsoever. If the device looks appealing and on sale at a surprisingly cheap price, a lack of any brand name listed whatsoever may be the point where alarm bells start going off.

You simply can’t be sure what you’re taking home at that point, and even the various security tips up above may not be enough to keep things safe and clean at all times. Be on your guard, drop some tape on that ever-present eye in the corner of your room, and go about your day. It’s definitely a problem, but it isn’t one you need to let rule your day-to-day online experience.

ABOUT THE AUTHOR

Christopher Boyd

Former Director of Research at FaceTime Security Labs. He has a very particular set of skills. Skills that make him a nightmare for threats like you.