A website is displaying the video streams of webcams in tens of thousands of private homes and businesses around the world to show how easy it is to intercept them if the owner doesn’t change the manufacturer’s default user name and password.
“Last week, I sat at my computer and watched a young man from Hong Kong relaxing on his laptop; an Israeli woman tidying the changing room in a clothes store; and an elderly woman in the UK watching TV,” wrote Joseph Cox for the Web magazine Motherboard.
“All of these people were completely unaware that I was spying on them, thousands of miles away, through devices that were inadvertently broadcasting their private lives on the Internet.”
The feeds are collected on a website called Insecam, which uses computer software to troll the Internet for signals from security cameras and the like.
The intercepted cameras are using the pre-programmed security codes installed by the manufacturers and left unchanged by the consumers. Default user names such as “admin” and passwords such as “12345” can easily be broken.
Techcrunch reports it investigated the feeds and found many dead, likely because the owner had changed the security codes after discovering the camera had been tapped by Insecam.
At the Tampa Tribune, Tom Jackson reported he saw “cluttered family rooms and tidy kitchens. Vacant pool decks. A dock looking out on sparkling blue water. Lonely front porches. A blue-and-gold striped tropical fish. Several empty cribs. And one crib containing a blissfully snoozing toddler.”
Jackson said, however, what Insecam’s designers have done “falls ever so slightly outside the realm of hacking.”
“Instead, its robot is simply coming through an unlocked back door. Keeping it out of our business is up to us.”
He continued: “The timing for understanding this could not be better. The season ahead is, of cource, rich with traditions, not the least of which is this: In our haste to get gifts assembled and running, we – and I am speaking as a been-there-done-that dad – will skip details in the owner’s manual that seem incidental to the operation of the gizmo at hand.”
But he warned that manufacturers’ default user names and passwords follow simple patterns, making the system vulnerable.
“Just change the dang password. And it’s not just because you don’t want Russian thugs watching your teens play video games,” he continued. “There’s lots of stuff you can skip over the holidays, but changing the password on your new DIY surveillance system isn’t one of them. What you do in your hot tub should stay in your hot tub.”
Insecam shows cameras from dozens of nations, including Sweden, Singapore, Chile, Denmark, Brazil, Czech Republic, Israel, Greece and Bulgaria.
With many of the featured feeds, Insecam also shows the location on a Google map.
In not-entirely fluent English, the site explains: “Sometimes administrator (possible you too) forgets to set the default password on security surveillance system, online camera or DVR. This site now contains access only to cameras without a password and it is fully legal. Such online cameras are available for all Internet users. To browse Cameras just select the country or camera type.”
The site says it has been designed “to show the importance of the security settings.”
“To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.”
Techcrunch reported there were 73,000 camera feeds on the site.