Anyone with an Internet Connection Can Still Access 15,000 Webcams All Across the World
Many products are put on the market with the idea of improving people's security, and it's always sad to see when one of them has the exact opposite effect. Unfortunately, this isn't such a rare phenomenon. Recently, for example, Avishai Efrat, a security researcher working for WizCase, managed to discover more than 15,000 private webcams that were accessible to anyone with an internet connection.
We should first mention that we're not talking about the built-in webcam on your laptop or the one you plug into the USB port and attach to the top of your monitor. We're talking about the sort of camera that people install in private and public buildings in order to ensure better security.
You no longer need an on-premises security guard to man these cameras. Right now, most of them can be managed remotely either through a browser or via a mobile application. The thing is, ideally, only their owners should have access to them, and unfortunately, this is not always the case.
How hackers access your webcam
IoT security cameras can be remotely managed through one of two protocols – port forwarding or P2P (also known as Peer-to-Peer). Port forwarding is generally considered the less secure option, though manufacturers continue to use it. With it, connecting to your webcam is as easy as opening a web browser and entering the public IP address of your router as well as the port your camera uses in the address bar.
At this point, the webcam should require authentication in order to ensure that only authorized people can view the image, but according to WizCase, this isn't always the case. What's more, the webcams that do require a username and password are often left with the default credentials. This is a problem because thanks to search engines like shodan.io, hackers know the make and model of the webcam they're connecting to. And if they know the make and model, the default credentials are just a Google query away.
P2P is the preferred protocol of choice, especially if the connection needs to be done through a mobile application. It is considered more secure and easier to implement, but it has its own set of problems. Vendors strive to make webcams as easy to set up as possible, and as a result, they intentionally or unintentionally overlook some basic security practices. WizCase's researchers say that in some cases, P2P communication could also leave ports open to the internet without authentication, and hackers can easily exploit them.
What happens if your webcam gets hacked?
WizCase's researcher managed to find a whole plethora of vulnerable cameras from manufacturers like Axis, Cisco Linksys, Mobotix, and others. Not surprisingly, the majority of the devices were located in large countries like the USA, Russia, Brazil, Canada, and the UK, and they were installed in a variety of places.
The amount of damage that can be done once a hacker compromises a camera is dependent on the level of access that is gained. In some cases, attackers can take full control of the device, point it in a different direction, switch it off, or even tamper with the footage it's broadcasting. If they get access to the camera's underlying operating system, they can also recruit it into a large botnet and use it for cryptojacking or launching DDoS attacks.
From a privacy standpoint, the seriousness of the problem is determined by the location of the compromised camera. Devices that are set up in public places like parking lots, shops, and hotel lobbies probably shouldn't cause too much trouble. The ones that people install in their homes, however, record footage that is much more sensitive, and the webcam owners definitely don't want other people looking at it. WizCase's researchers managed to get to cameras that recorded children while they were home alone, which means that people need to start securing their devices as a matter of priority.
How to secure your webcam?
Unfortunately, because different manufacturers have different designs, it's difficult to put together a to-do list that is guaranteed to solve your problems. What this means is that it's up to you to do some research and see how your camera works and how secure it is.
Check out its documentation to see which communication protocol it uses. Make sure that the webcam requires authentication every time someone tries to access it, and if you haven't already, ensure that you have changed the device's default login credentials.
Modifications can be made on the network level as well. Putting the camera on a local VPN should guarantee that only devices on that VPN can access it, and whitelisting IP and MAC addresses should also help keep it away from prying eyes.
These solutions might sound too complicated, especially for the less tech-savvy among you. Sometimes, however, implementing them is easier than it may appear at first, so researching the options is definitely worth it. After all, it's for the sake of your security and privacy.