15,000 private webcams left open to snooping, no password required

15,000 private webcams left open to snooping, no password required

Once again concerns are being raised about the sorry state of IoT security, after a security researcher discovered over 15,000 private webcams that have been left wide open for anyone with an internet account to monitor.

Avishai Efrat, a white hat researcher working for WizCase, identified thousands of unsecured webcam video feeds are being broadcast from multiple places around the world. The webcams are made by a variety of manufacturers, including:

  • AXIS net cameras
  • Cisco Linksys webcam
  • IP Camera Logo Server
  • IQ Invision web camera
  • IP WebCam
  • Mega-Pixel IP Camera
  • Mobotix
  • WebCamXP 5
  • Yawcam

In a blog post, WizCase’s Chase Williams detailed how many of the webcams were inside people’s homes, while others appeared to be in businesses, private institutions, and even places of worship:

“Some examples of camera that were accessible include those at shops, inside the kitchens/living rooms/offices of private family homes – including a live feed of people on the phone and children peeking at the camera directly, tennis courts, storage units, hotels, museum security feeds, churches, mosques, parking lots, gyms, and more.”

Webcam footage

According to Efrat, the privacy failure has occurred through the lethal cocktail of devices that did not secure themselves automatically when initially installed, mixed with owners who failed to take the necessary steps to ensure that security measures like password authentication and IP/MAC address whitelisting were in place. In addition, owners are advised to disable UPnP if P2P networking is in use.

As has been warned many times in the past, too many IoT devices are allowed to connect to the internet with preconfigured settings and default passwords, making life too easy for malicious hackers.

Sure enough, in some instances, Efrat reports that hackers could log into devices with admin privileges and determine information about the owners such as their approximate location, as well as theoretically hijack control of the webcam to point in a different direction.

Perhaps the most obvious concern, however, relates to the video footage itself. Taking control of a webcam gives a criminal access to privileged information which could be abused to help them in a robbery, or perhaps even blackmail the unsecured webcam’s owner.

WizCase’s opinion is that webcam manufacturers have prioritised ease-of-installation over security, and left users dangerously exposed.

Until more manufacturers make the process of securing their IoT devices easier or – better yet – automatic then it feels we will be reading many more headlines in the future of individuals and businesses who have put themselves needlessly at risk.