14 DAY TRIAL // The Information Commissioner’s Office (ICO), UK’s privacy watchdog, issued a warning for citizens using surveillance cameras accessible with the default credentials, saying that this insecure practice is being taken advantage of on a website aggregating their video streams.
The alert comes after it was discovered that a website based in Russia looks for weakly protected IP cameras and makes public the content they capture. The devices are not hacked in any way, but accessing them is possible because owners did not change the default username and password.
Not just CCTV networks have been indexed but also personal and business security cameras, as well as those mounted on baby monitors.
Sales of surveillance cams grow, unique passwords needed
ICO did not provide the name of the website, but clues in their warning point to insecam.com, which was created specifically to raise awareness about the security risks of keeping the original credentials for reaching content of video recording equipment reachable via the Internet.
Additionally, the website administrators state in the FAQ section that a simple request to remove the surveillance device from their database would suffice for them to comply.
ICO draws attention to the dangers of preserving the default login credentials for surveillance cameras and strongly advises against this practice, especially since a large number of such devices is sold each year; in 2013 alone, 350,000 IP cameras were sold in the UK.
Apart from setting unique, strong passwords, the security measures recommended by the Information Commissioner’s Office also include going through the configuration options intended for secure capture of the footage, provided by the manufacturer of the device in the user’s manual.
Having an obscure address for checking the footage is not enough for protecting the information because simple searches, even with Google, can reveal the IP. With default credentials being publicly available, an intruder could easily view the camera content.
ICO tries to remove Russian website
Insecam.com relies on an automated system for discovering the poorly protected devices based on Shodan search engine, which is specifically designed to look for hardware components connected to the web.
Moreover, the security set up of all other devices facing the Internet should be revised to make sure that sensitive information cannot be reached by unauthorized individuals.
Simon Rice, group manager for technology at ICO, says that efforts are made by ICO to take down the website. Other parties tied to data protection around the world have also been engaged in this action.
However, even if the watchdogs manage to prevent access to the website, the insecure cameras would still be available for third parties to snoop on citizens from all over the globe.
