News

Actions

Website feature shows lack of webcam security

Posted
and last updated

A new search engine is making waves in the tech world as being the first to allow users to easily browse vulnerable webcams.

Shodan’s newest feature allows users to not only search for unsecured webcams from around the world, but also search by specific location, revealing IP addresses and approximate GPS coordinates in the process. There is also a feed that includes snapshots from unprotected webcams. One short search by 41 Action News revealed private bedrooms, living rooms, backyards, front porches and several business offices, even a possible daycare.

"I think the most alarming thing is that people can find your location,” said local tech expert Burton Kelso.

Kelso said that often times private IP addresses can be assigned an address several miles away. However, sometimes business addresses can be given a static IP address, which is much more accurate.

“It doesn't matter what device it is. If you've got an Internet-connected device such as a tablet or smartphone or a convertible laptop, you can definitely get on and take a look at anybody's unsecure webcam."

How do I protect myself?

It’s simple. Set complex passwords (which include symbols, numbers and letters) to both your webcam and your Internet router. Don’t buy a webcam that won’t let you customize your privacy settings.

Simply using the default password that comes with the camera isn’t good enough.

"The problem is that most hackers can Google what the passwords are for certain webcams,” said Kelso.

It’s also important to turn off "file sharing" if on a laptop.

Is watching an unsecured webcam illegal?

According to the U.S. Attorney’s Office, there is no current law prohibiting someone from watching an unsecured webcam. According to the FBI, it is illegal for someone to hack into a webcam, bypassing security features such as passwords.

Can someone hack into my webcam even with complex passwords installed?

Yes, but it would be very difficult. They would likely have to install a RAT (Remote Administration Tool) to take control of your device. This can be done through clickable links sent to you on platforms such as your inbox or Facebook. Never click on anything suspicious.  

Smart phones and tablets can be harder to hack into because of built-in security features. However, not setting passwords on those devices can make them vulnerable as well.

How do I know if my webcam has been hacked?

You likely won’t. If you see your webcam light turn on at random or it appears someone is controlling your computer remotely, it’s time to re-address your security settings.

What is Shodan?

Shodan is a website that claims to be the world’s first search engine for internet connected devices. It was developed several years ago as a way for IT professionals to see where devices were connected, such as servers and routers - essentially anything with an IP address, including cameras.

Many of the cameras that are revealed in the search engine are likely made for public use, such as traffic and weather cameras. However, because the search pulls up any unsecured camera, several cameras meant for private use are exposed as well.

Shodan sent 41 Action News the following statement: 

"Shodan wants to provide a complete view of the Internet which includes control systems, printers, servers, databases, tea kettles and of course webcams.

With regards to webcams, we operate identically to other search engines such as Google which can also be used to find publicly accessible webcams. For example:

https://www.google.de/search?q=camera+linksys+inurl:main.cgi&start=0&ie=utf-8&oe=utf-8&gws_rd=cr,ssl&ei=JA6sVuINweJSj_CYsA4

Google used to offer something similar to Shodan in the form of Google Instant Previews.

Why aren’t the webcams made more secure by manufacturers?

Many believe consumers don’t want to pay the higher prices that come with more secure webcams, therefore it’s believed some manufacturers may have taken shortcuts in security in order to keep prices low. The Federal Trade Commission addressed this topic in a report from Jan. 27, 2015, in which they urged “companies to adopt best practices to address consumer privacy and security risks," stating that companies should “build security into devices at the outset, rather than as an afterthought in the design process.”

Kelso said the responsibility eventually lies with the consumer.

"Manufacturers really don't care about the security features of the device. The thing they really care about is how many devices can they sell to the average user … I think people need to really sit down, take a look at the technology they're inviting into their homes and make sure that they fully understand what capabilities the technology has and what risk they're inviting into their homes if they don't have the knowledge to set it up properly."

-----

Josh Helmuth can be reached at josh.helmuth@kshb.com.

Follow him on Twitter

 

Connect on Facebook