Poor security: 15,000 private webcams exposed to creeps
Your exposed webcams are backdoor for creeps.
Every cybersecurity article you’ll find will include some sort of reminder emphasizing the use of strong passwords, good antivirus software and the related usual. However, there is less care taken to ensure the hardware components of our computers are secure.
In the wake of this, Avishai Efrat, a white hat hacker from Wizcase has found 15,000 webcams globally that can be accessed unauthorizedly with the only pre-requisite being an Internet connection. Many of these webcams can also be tinkered with by malicious users editing their settings which is made easier by the fact that most users do not bother changing the default credentials of such devices.
Some of the manufacturers include:
- AXIS net cameras
- Cisco Linksys webcam
- IP Camera Logo Server
- IP WebCam
- IQ Invision web camera Mega-Pixel IP Camera,
- WebCamXP 5
These have been found installed both for home and business use in different countries with the following ones being the most popular as reported by Wizcase:
While webcams at homes would be expected to mostly have revealed personal sensitive information in developing countries where the trend of remote working is less, this is untrue for economies based particularly in Europe and the Americas where important business data may have also been compromised.
But that’s not where it ends. Potential uses of webcams also extend to places of worship, museums, sports areas and parking lots which could be deemed as an invasion to the privacy of users.
Here, it’s noteworthy that since 2014, a website called “Insecam” has been showing live footages from over 100,000 insecure private security cameras from all over the world. The site claim to be “The world biggest directory of online surveillance security cameras.”
Some of the consequences of these are that indecent footage of people could be used for blackmailing them, IP theft could become easier for unethical businesses who may utilize such feeds, surveillance becomes easier for both government and foreign government agencies, camera loops could be set to coordinate physical attacks and much more – the list is endless to say.
The golden question is, why was such a flaw overlooked by several manufacturers despite the implications? To answer this, we must look at how webcams work. Every time one is installed, users need some remote way in order to access its footage either in real-time or later for play-back. This is important to realize as not all webcams are used for video networking communication and many of them are utilized for security purposes.
The access mechanisms can be divided into two networking protocols, namely port forwarding and peer to peer(P2p). In port forwarding through the use of Universal Plug and Play (UPnP) technology, the camera can be accessed by a port on the external IP address.
If there is no authentication method, anyone who knows the IP address of the device can access the footage and other privileges depending on the manufacturer’s setup. Secondly, in P2P, the device itself communicates with the manufacturer’s servers for administration and other functions without port forwarding leaving no need for port forwarding.
However, this can again be insecure if the manufacturer doesn’t take the basic precautions mentioned above. To solve these security issues, Chase from Wiscase offers some insight along the lines of,
“Many devices aren’t put behind firewalls, VPNs, or whitelisted IP access – any of which would deny scanners and arbitrary connections. If these devices have open network services, then they could be exposed. wrote Chase.” “The device’s security posture might depend on different things but a recommended way to set up a secure web camera would be to use a local VPN network, so that any open port would remain within the limits of the encrypted communication of the VPN. The app would connect to the VPN which would then access the port using an internal IP, thus avoiding the open port & call home potential problems and removing accessible ports from your external IP,” Chase concluded.
Furthermore, one can also add other measures such as whitelisting only one’s own device’s MAC addresses, choosing vendors with a focus on security, enabling two-factor authentication and finally using an encrypted connection to access the admin panel.
Finally, If you’re not a technically interested user, checking if your public IP address is compromised through a search engine like Shodan can also help for the immediate time being helping you decide your next course of action.