Webcam security: What you must do, now

(Piotr Adamowicz/Shutterstock/File)


1 photo
Save Story
Leer en español

Estimated read time: 5-6 minutes

This archived news story is available only for your personal, non-commercial use. Information in the story may be outdated or superseded by additional information. Reading or replaying the story in its archived form does not constitute a republication of the story.

LONDON (CNN) — Unsecured footage from thousands of webcams around the world -- including in the United States and western Europe -- has been accessed and streamed by a website thought to be based in the Russian Federation, British officials say.

The website's operator claims to be republishing the feeds -- from sources including CCTV and baby monitors -- to highlight security weaknesses.

So what can consumers do to find out if their privacy has been violated and to prevent it from happening again?

CNN spoke to Andrew Paterson, senior technology officer at Britain's independent authority on information rights -- the Information Commissioner's Office (ICO) -- which issued a warning about the web cams Thursday, and Jules Polonetsky, executive director of the Future of Privacy Forum think tank.

Paterson suggests the first step for concerned consumers should be to check the security settings on their web camera and ensure that their password is not set to default.

"It's a website that's republished the feeds from many thousands of unsecured web cams and CCTV cameras. I believe you can view more or less live footage. It looks like one person has automatically scanned the internet for unsecured cameras and then aggregated this information in one site," Paterson said.


In theory, if you have a web camera and it is interface accessible over the internet, it could be at risk.

–Andrew Paterson, senior technology officer


"If you're particularly interested you could try to find your country, you could try to find the region or city that camera is in."

The website guesses location based on IP addresses and has a list of countries from where it is publishing feeds, ranking them by number of unsecured cameras discovered. At the time of writing, the U.S. tops the list -- with 4,591 feeds, followed by France, the Netherlands, Japan, Italy and the United Kingdom.

CCTV cameras and baby monitors are among the devices that feeds have been taken from. But many others could be affected.

"In theory, if you have a web camera and it is interface accessible over the internet, it could be at risk," Paterson said.

He said in the case of the Russian website it appears that the operator has concentrated on only a few makes.

The worry is that others may also have accessed such feeds.

"It appears that the person responsible is trying to raise awareness but it's possible other people are doing other things," he said.

Polonetsky said it's valuable to teach the lesson that web cameras need to be secured but said there have to be better ways than publishing people's feeds online.

He said similar problems have existed for years.

"Almost scarier is that there are thousands of other similarly unprotected devices on the web. We continually learn about some essential device that is web accessible," he said.

"There have been some very public examples of smart home equipment that could be accessed remotely," he said -- including devices to raise blinds or turn on lights remotely.

"If you can remotely access something, that means others can remotely access it as well and you need to lock it down -- or you're at risk."


If you can remotely access something, that means others can remotely access it as well and you need to lock it down -- or you're at risk.

–Andrew Paterson, senior technology officer


Again, Paterson stresses that having a strong password is critical.

"The one piece of advice I can give is that if you have a camera you should go and check if it's secured with a password and must double check it's not the default password," he said. "Secondly, work out whether you actually need to view your webcam over the internet or not. If you don't then you might as well turn that feature off."

While the ICO doesn't know the Russian website owner's intentions, Paterson said that as far as it can tell the feeds have not been archived -- though they don't know for certain.

"It looks like if you change the default password and set a strong one it will no longer show up on the website -- but the owner [on the Russian site] could do anything he or she wants," he said.

But the same flaw that has allowed this website to access personal feeds, could also have let other online users view your feed -- and they may not be broadcasting the fact.

"If you're able to log in remotely, then others are able to log in remotely. Either ensure that access is disabled or ensure you have a secure password," Polonetsky said.

Polonetsky suggested that delivering a product with a security weakness is "like selling houses without a front door."

"Actually, it's worse," he said. "Here you're selling things to people who don't even know there's not a back door. It's completely irresponsible -- it's like selling a car without a key piece of safety equipment. These things are not safe to be on the internet."

Polonetsky said it is possible that sellers of devices without basic data protection would be considered unfair to consumers under the U.S. Federal Trade Commission's standards.

"It could be considered unfair to sell a product that puts personal data at great risk. It will be interesting to see if any the sellers face action."

In the UK, Paterson said accessing a computer without authorization could well breach the Computer Misuse Act.

"If you have strong evidence that somebody has compromised your camera you may be able to take it to law enforcement," he said.

The ICO itself regulates the Data Protection Act. "If the feed from your camera can identify individuals that would be personal data and if someone's processing that in an unfair or unlawful manner then it could breach the act," he said.

As the website appears to be Russian-based, however, any potential legal action would require action from the authorities there. The ICO is currently trying to enlist their help to get the website taken down.

Copyright 2014 Cable News Network. Turner Broadcasting System, Inc. All Rights Reserved.

Photos

Related links

Related stories

Most recent Features stories

Susannah Cullinane CNN

    STAY IN THE KNOW

    Get informative articles and interesting stories delivered to your inbox weekly. Subscribe to the KSL.com Trending 5.
    By subscribing, you acknowledge and agree to KSL.com's Terms of Use and Privacy Policy.

    KSL Weather Forecast