The New Paper
Monday, Oct 31, 2016
You could be unknowingly broadcasting your life on the
Internet.
The website Insecam bills itself as a repository of
unsecured surveillance cameras from all over the world, including
Singapore.
With just a few clicks, anyone can access live images
from places that look like the inside of offices, warehouses and
homes.
The footage is from closed-circuit television and
Internet protocol (IP) cameras. IP cameras work by connecting to a
Wi-Fi network and their feeds can be viewed remotely from a
smartphone or computer.
The New Paper first reported about it in 2014.
30 feeds
When monitoring the site last week, TNP saw more than
30 feeds from Singapore.
The website owners claim on the site that they
constantly filter out cameras that intrude on the privacy of
individuals.
However, some of the feeds clearly showed the inside of
people's homes.
It gets worse.
Even if your webcam feed is not on Insecam, there are
search engines that can scan for unsecured webcams, said Associate
Professor Steven Wong, 41, the president of the Association of
Information Security Professionals .
"In the digital world, it's just a fly through to
collect (the addresses of these webcams)," he said.
In a few short minutes, he showed TNP how easy it was
for someone like him to tap into an unsecured webcam.
Using a search engine that was specifically built to
find and map out devices connected to the Internet, he was able to
look for the web addresses of webcams here.
A few taps of the keyboard was all it took for him to
log on to unsecured webcams that were not listed on Insecam.
To prevent copycats, TNP is not naming that
website.
How is this intrusion possible?
Such webcams are only protected by a default password
or, worse, have no passwords at all.
"The most basic thing is the most dangerous thing,"
said Prof Wong, the programme director for the Information Security
degree at the Singapore Institute of Technology.
He stressed that not changing the passwords to any
device connected to the Internet leaves users vulnerable.
He said: "Once a device is connected to the Internet,
everybody can access it if you don't set up the fence
properly."
One user who wanted to be known only as Madam Ang, 45,
said she was appalled by the content of Insecam.
She said: "The website claims to not intrude people's
privacy, but I saw workplaces and I think somebody's home kitchen
too."
When the admin assistant first bought her 7-Star
security cameras more than three years ago, she had a family friend
help her with them.
"My husband and I did not know how to use the camera
back then so a friend came over to help set them up," she said.
Madam Ang has three cameras and they are used mainly to
monitor the maid and to make sure the children come home on
time.
She said there was no default password set-up for the
cameras then and she was not aware of the risks of not setting a
password.
She said: "Looking back, if our friend did not tell us
to set a password, I would never have done it."
In an e-mail interview, Mr Nick Savvides, security
advocate at security and technology giant Symantec said his
company's analysis showed that web-connected or Internet of Things
(IoT) devices are "scanned every two minutes".
"This means that a vulnerable device, such as one with
a default password, could be compromised within minutes of going
online," he said.
"Consumers should ensure that they are purchasing these
devices from a trusted and reputable manufacturer."
The process of accessing unsecured cameras is easily
automated.
Said Prof Wong: "Somebody can write a script that
automatically scans through to find webcams which are not password
protected."
Unsecured webcams also present a danger beyond having
your privacy violated.
It can be used to launched a Distributed Denial of
Service (DDoS) attack, similar to the one that affected StarHub
users last week. (See report on the next page.)
Tool
Mr Kelvin Lew, a cyber security consultant, said:
"There are still millions of users who are not aware that their
personal computers, devices and home equipment have become a tool
for the hackers to do their illegal activities."
He urged IoT manufacturers to consider the security
aspect in the design of their products.
So how can you prevent your webcams from being
accessed?
Said Prof Wong: "Change your passwords!"
Viewing stream is OK, uploading is
not
It is not illegal to view the feeds that are on
Insecam.
"Just viewing the feed does not constitute an
infringement," said lawyer Gloria James-Civetta, managing partner
of law firm Gloria James-Civetta & Co.
"It would be akin to watching an episode of a TV show
that has been illegally uploaded on YouTube."
Mr George Hwang from George Hwang LL.C likens looking
at the stream to someone looking through the open window of a
Housing Board flat as they walk past on the corridor.
"There is no problem if you were just looking through
that window," he said.
The infringement occurs if you put the stream
online.
Said Ms James: "If a third party puts up a stream on
the Internet, then that can constitute an infringement.
"There was no consent to taking someone else's data and
letting the world see it."
Change your default
password
By Elaine Lee
Manufacturers of webcams found on Insecam say basic
security measures can help prevent unauthorised access to
cameras
If you log on to the website Insecam, you will see
feeds from webcams all over the world.
You will also see the models and brands of webcams that
are being tapped into.
When The New Paper checked the website last week, it
showed video feeds from webcams here made by Panasonic, Axis
Communications, Defeway, Foscam, Linksys and TP-Link.
A simple web search showed sites that collect lists of
default passwords for many popular webcam brands, making it simple
for anyone to hack into a webcam that has not had its password
changed.
Discontinued
When TNP contacted the brands and their local
distributors, we found that at least two models had been
discontinued.
Axis Communications head of marketing Winston Goh said
the camera model used in feeds on Insecam is no longer on sale.
It was discontinued in favour of a newer model, but
every camera will have a default password in their initial
set-up.
A TP-Link spokesman said the company has discontinued
the model TL-SC4171G, an IP camera with two-way audio which was
found on Insecam.
Many of the brands and distributors said their set-up
process is meant to prevent unauthorised access.
Webcam models that come with default usernames and
passwords also come with instructions on how passwords can be
changed.
Other webcams come with no default passwords - the
password has to be created during the first login.
If the webcam feeds are being accessed illegally on
sites like Insecam, manufacturers say the problem boils down to one
thing: Users who have not set passwords or have not changed the
default password.
Mr Tan Choon Kiat, Foscam's head of technical support
here, told TNP that its cameras are not able to be hacked into if
the correct set-up and password protocols are followed.
"Our basic set-up process already enforces a strong
password to be set.
"So the cameras which are hacked into are either due to
the lack of or having a very weak and default password," he
said.
Mr Tan Choon Kiat, Foscam's head of technical support
here, told TNP that its cameras are not able to be hacked into if
the correct set-up and password protocols are followed.
"Our basic set-up process already enforces a strong
password to be set.
"So the cameras which are hacked into are either due to
the lack of or having a very weak and default password," he
said.
The brand's cameras are easy to install using the
instruction manual provided, he added. Mr Tan also said that if
customers encounter any difficulty, there is a local and global
hotline they can call and be guided step-by-step over the
phone.
3Si, the reseller for Axis Communications, said the
cameras are usually bought by businesses.
3Si's business director Norman Lau said more than 50
per cent of its customers declined to change their default password
after his company installed the cameras for them.
He said: "Axis cameras are usually purchased by
businesses. We help them install and after that, we will remind
them to change their passwords.
"Many will prefer to change themselves whereas some
will get us to assist them in the changing of passwords."
Panasonic, Defeway and Linksys did not get back to TNP by press
time.
'Poor security makes them soft
targets'
Your password issues do not affect just you.
StarHub's broadband network was disrupted twice last
week, on Oct 22 and Oct 24.
StarHub said the distributed denial of service (DDoS)
attack happened with the help of its customers' machines.
The attacks came just after a massive DDoS attacks on a
US-based Domain Name System (DNS) service provider, Dyn, on Oct
21.
The attack on Dyn took down services like Twitter and
Spotify.
Experts said that these attacks made use of
web-connected or Internet of Things (IoT) devices.
Hackers used a malware called Mirai to infect countless
of devices connected the Internet.
Those devices then became zombie machines that
overwhelmed Dyn's servers with more traffic than it could
handle.
Experts do not rule out that the DDoS attacks that
affected StarHub resulted from devices infected with Mirai.
In an e-mail reply to The New Paper, Mr Nick Savvides,
security advocate at Symantec, said that these attacks are rooted
in the poor security of many of these devices that are connected to
the Internet.
"Poor security on many IoT devices makes them soft
targets and attackers often pre-programme their malware with
commonly used and default passwords," he said.
"Processing power limitations and basic operating
systems mean many IoT devices don't have advanced security
features."
He urged consumers to buy devices from reputable
manufacturers.
"Check if they have a history of releasing updates and
if they have clear security and privacy policies," he said.
