Be very afraid: Anyone can see inside your home if you have an unsecured webcam

Azim Azman
The New Paper
Monday, Oct 31, 2016

You could be unknowingly broadcasting your life on the Internet.

The website Insecam bills itself as a repository of unsecured surveillance cameras from all over the world, including Singapore.

With just a few clicks, anyone can access live images from places that look like the inside of offices, warehouses and homes.

The footage is from closed-circuit television and Internet protocol (IP) cameras. IP cameras work by connecting to a Wi-Fi network and their feeds can be viewed remotely from a smartphone or computer.

The New Paper first reported about it in 2014.

30 feeds

When monitoring the site last week, TNP saw more than 30 feeds from Singapore.

The website owners claim on the site that they constantly filter out cameras that intrude on the privacy of individuals.

However, some of the feeds clearly showed the inside of people's homes.

It gets worse.

Even if your webcam feed is not on Insecam, there are search engines that can scan for unsecured webcams, said Associate Professor Steven Wong, 41, the president of the Association of Information Security Professionals .

"In the digital world, it's just a fly through to collect (the addresses of these webcams)," he said.

In a few short minutes, he showed TNP how easy it was for someone like him to tap into an unsecured webcam.

Using a search engine that was specifically built to find and map out devices connected to the Internet, he was able to look for the web addresses of webcams here.

A few taps of the keyboard was all it took for him to log on to unsecured webcams that were not listed on Insecam.

To prevent copycats, TNP is not naming that website.

How is this intrusion possible?

Such webcams are only protected by a default password or, worse, have no passwords at all.

"The most basic thing is the most dangerous thing," said Prof Wong, the programme director for the Information Security degree at the Singapore Institute of Technology.

He stressed that not changing the passwords to any device connected to the Internet leaves users vulnerable.

He said: "Once a device is connected to the Internet, everybody can access it if you don't set up the fence properly."

One user who wanted to be known only as Madam Ang, 45, said she was appalled by the content of Insecam.

She said: "The website claims to not intrude people's privacy, but I saw workplaces and I think somebody's home kitchen too."

When the admin assistant first bought her 7-Star security cameras more than three years ago, she had a family friend help her with them.

"My husband and I did not know how to use the camera back then so a friend came over to help set them up," she said.

Madam Ang has three cameras and they are used mainly to monitor the maid and to make sure the children come home on time.

She said there was no default password set-up for the cameras then and she was not aware of the risks of not setting a password.

She said: "Looking back, if our friend did not tell us to set a password, I would never have done it."

In an e-mail interview, Mr Nick Savvides, security advocate at security and technology giant Symantec said his company's analysis showed that web-connected or Internet of Things (IoT) devices are "scanned every two minutes".

"This means that a vulnerable device, such as one with a default password, could be compromised within minutes of going online," he said.

"Consumers should ensure that they are purchasing these devices from a trusted and reputable manufacturer."

The process of accessing unsecured cameras is easily automated.

Said Prof Wong: "Somebody can write a script that automatically scans through to find webcams which are not password protected."

Unsecured webcams also present a danger beyond having your privacy violated.

It can be used to launched a Distributed Denial of Service (DDoS) attack, similar to the one that affected StarHub users last week. (See report on the next page.)

Tool

Mr Kelvin Lew, a cyber security consultant, said: "There are still millions of users who are not aware that their personal computers, devices and home equipment have become a tool for the hackers to do their illegal activities."

He urged IoT manufacturers to consider the security aspect in the design of their products.

So how can you prevent your webcams from being accessed?

Said Prof Wong: "Change your passwords!"

Viewing stream is OK, uploading is not

It is not illegal to view the feeds that are on Insecam.

"Just viewing the feed does not constitute an infringement," said lawyer Gloria James-Civetta, managing partner of law firm Gloria James-Civetta & Co.

"It would be akin to watching an episode of a TV show that has been illegally uploaded on YouTube."

Mr George Hwang from George Hwang LL.C likens looking at the stream to someone looking through the open window of a Housing Board flat as they walk past on the corridor.

"There is no problem if you were just looking through that window," he said.

The infringement occurs if you put the stream online.

Said Ms James: "If a third party puts up a stream on the Internet, then that can constitute an infringement.

"There was no consent to taking someone else's data and letting the world see it."

Change your default password

Manufacturers of webcams found on Insecam say basic security measures can help prevent unauthorised access to cameras

If you log on to the website Insecam, you will see feeds from webcams all over the world.

You will also see the models and brands of webcams that are being tapped into.

When The New Paper checked the website last week, it showed video feeds from webcams here made by Panasonic, Axis Communications, Defeway, Foscam, Linksys and TP-Link.

A simple web search showed sites that collect lists of default passwords for many popular webcam brands, making it simple for anyone to hack into a webcam that has not had its password changed.

Discontinued

When TNP contacted the brands and their local distributors, we found that at least two models had been discontinued.

Axis Communications head of marketing Winston Goh said the camera model used in feeds on Insecam is no longer on sale.

It was discontinued in favour of a newer model, but every camera will have a default password in their initial set-up.

A TP-Link spokesman said the company has discontinued the model TL-SC4171G, an IP camera with two-way audio which was found on Insecam.

Many of the brands and distributors said their set-up process is meant to prevent unauthorised access.

Webcam models that come with default usernames and passwords also come with instructions on how passwords can be changed.

Other webcams come with no default passwords - the password has to be created during the first login.

If the webcam feeds are being accessed illegally on sites like Insecam, manufacturers say the problem boils down to one thing: Users who have not set passwords or have not changed the default password.

Mr Tan Choon Kiat, Foscam's head of technical support here, told TNP that its cameras are not able to be hacked into if the correct set-up and password protocols are followed.

"Our basic set-up process already enforces a strong password to be set.

"So the cameras which are hacked into are either due to the lack of or having a very weak and default password," he said.

Mr Tan Choon Kiat, Foscam's head of technical support here, told TNP that its cameras are not able to be hacked into if the correct set-up and password protocols are followed.

"Our basic set-up process already enforces a strong password to be set.

"So the cameras which are hacked into are either due to the lack of or having a very weak and default password," he said.

The brand's cameras are easy to install using the instruction manual provided, he added. Mr Tan also said that if customers encounter any difficulty, there is a local and global hotline they can call and be guided step-by-step over the phone.

3Si, the reseller for Axis Communications, said the cameras are usually bought by businesses.

3Si's business director Norman Lau said more than 50 per cent of its customers declined to change their default password after his company installed the cameras for them.

He said: "Axis cameras are usually purchased by businesses. We help them install and after that, we will remind them to change their passwords.

"Many will prefer to change themselves whereas some will get us to assist them in the changing of passwords." Panasonic, Defeway and Linksys did not get back to TNP by press time.

'Poor security makes them soft targets'

Your password issues do not affect just you.

StarHub's broadband network was disrupted twice last week, on Oct 22 and Oct 24.

StarHub said the distributed denial of service (DDoS) attack happened with the help of its customers' machines.

The attacks came just after a massive DDoS attacks on a US-based Domain Name System (DNS) service provider, Dyn, on Oct 21.

The attack on Dyn took down services like Twitter and Spotify.

Experts said that these attacks made use of web-connected or Internet of Things (IoT) devices.

Hackers used a malware called Mirai to infect countless of devices connected the Internet.

Those devices then became zombie machines that overwhelmed Dyn's servers with more traffic than it could handle.

Experts do not rule out that the DDoS attacks that affected StarHub resulted from devices infected with Mirai.

In an e-mail reply to The New Paper, Mr Nick Savvides, security advocate at Symantec, said that these attacks are rooted in the poor security of many of these devices that are connected to the Internet.

"Poor security on many IoT devices makes them soft targets and attackers often pre-programme their malware with commonly used and default passwords," he said.

"Processing power limitations and basic operating systems mean many IoT devices don't have advanced security features."

He urged consumers to buy devices from reputable manufacturers.

"Check if they have a history of releasing updates and if they have clear security and privacy policies," he said.