A Russian-based website has been found showing footage from hacked webcams, CCTV cameras and even baby monitors, allowing criminals to spy on people from across the world.
According to the UK Information Commissioner’s Office (ICO), the widespread breach is largely due to people using weak default passwords given to customers when they purchase their devices or not having any protection in place at all.
“The website, which is based in Russia, accesses the information by using the default log-in credentials, which are freely available online, for thousands of cameras,” Simon Rice, group manager for technology at the ICO, wrote in a blog post on ICO’s website.
“The footage is being collected from security cameras used by businesses and members of the public, ranging from CCTV networks used to keep large premises secure, down to built-in cameras on baby monitors. And with 350,000 of these cameras sold in the UK alone last year, this is a threat that all of us need to be aware of and be taking action to protect against.”
Live feeds from private properties across the UK have been found on the website including a gym in Manchester, a bedroom in Birmingham and an office in Leicester. Overall, 600 UK feeds and about 5,000 US feeds are reported to be accessible through the website.
Anyone with access to the site can use the information to tip off burglars about when properties are left unattended and what exactly can be found inside.
Although customers usually buy such cameras in the belief it will help them monitor their homes and properties while they are away, providing better protection against unauthorised access, the fact is the devices are inherently vulnerable unless carefully protected.
"The ability to access footage remotely is both an Internet camera's biggest selling point and, if not set up correctly, potentially its biggest security weakness,” Rice wrote. “Remember, if you can access your video footage over the Internet, then what is stopping someone else from doing the same?”
The footage acquired through the cameras can usually be accessed via a private web address. However, the ICO said, cunning hackers know ways how to scan the Internet using smart software to find vulnerable devices.
“In some cases, insecure cameras can be identified using nothing more than an Internet search engine,” Rice said.
Although efforts are being made to close the website, users of CCTVs, web-cameras and baby monitors have been urged to make sure they maximise the level of protection of their devices.
The Institution of Engineering and Technology’s (IET) Professor Will Stewart confirmed the problem lies mostly in people not paying enough attention to security even though encryption is readily available.
“This is not a technology or engineering problem. This is simply about people not considering it important enough to set up a secure password,” Stewart said.
“They think that as they need to access a private website to be able to view the footage, the system is safe enough. But that’s not the case. Anyone can scan the Internet using automated software to find unprotected feeds. In some cases, people make it even easier for the attackers, as they sometimes share the addresses to allow their friends or family to view the feed via various social websites.”
Simon Rice has advised security camera users to make sure they change the password of their device from the default setting, frequently something as simple as 12345, or set up passwords in the case of devices that may be completely unprotected.
ICO said that had the website been based in the UK it would have been illegal, but as it’s based in Russia, it may require ‘global response’ to tackle the problem.