Within the traditionally-sacred walls of our homes we felt secure that we were hidden from the prying eyes of peeping Toms. Once your curtains were drawn and the door shut, you feel a sense of quiet and a feeling that you were now in your own space, saying and doing the things that you might sometimes not do in front of the public, outside of your house. But are you alone?
A revelation that a Russian-based website is streaming live video from thousands of security cameras has demonstrated just how open our lives really are. When you hear me say security cameras, perhaps you think of a camera attached to the corner of a warehouse, or one in a mall. And though some of those might be there, things like Nanny Cams or security cameras inside of personal houses are also involved.
What was the one thing that all of these cameras have in common?
When the owner configured it they didn’t change the default password that came preinstalled on the camera. It is sloppy thinking that would have manufacturers provide a default password for a connection to a piece of hardware, but having worked in the software development sector for a long time, I know that these manufacturers aren’t unique in making this mistake. Why is this a mistake? Simply because if they install a default password and then provide that to their user, it is obviously written down somewhere that is easily accessible. If the bad guys know the password of your system, it doesn’t matter how fancy the password is, they can gain access easily. So, if you are using a Sony camera, then the username is “admin” and the password is “admin”. Unless you change that, then everyone who cares to know it will know it.
In truth, the same is true for all types of hardware. Most of us have a WiFi router provided by our Internet provider. Those passwords are set by the provider and are not default values. However, if you have purchased a WiFi router from a store (which many people do) and you did not change the password when you set it up, then that password is easily accessible to anyone who cares to find it. It is easy enough to tell the make of router or camera when trying to connect, so this is not even worth calling “hacking”. This is the equivalent of putting a sign over your front door with the passcode for your numerical lock.
Why does it matter if someone can access a security camera or your internet router? What possible harm could come of it?
With access to your router, it is possible for a criminal to insert themselves between your computer and the internet. They can use a variety of attacks on your computer to gain access to critical information. What could someone do with your bank card number and password for Internet banking? They can acquire that information easily once inside your network. Do you have any emails you would rather not be seen by others? Security cameras inside your house? A thief could monitor your camera to tell when you are out of town, or to carefully log your schedule so that they know when you are away at work and when you aren’t. How many of us run partially or fully unclothed between rooms when alone in a house? We run the risk of being extorted and/or blackmailed.
When Edward Snowden fled the US for sanctuary in Russia, the tipping point that caused him to rebel against his employers (the NSA) was a surveillance program the US government was using to log all emails from people and to periodically grab pictures from webcams (from your computer, your phone, perhaps those security cameras too). He said that he found it disturbing because many of the pictures taken were people half dressed or in other states of regular life. None of these people were necessarily being investigated, this was completely without authorization, warrant, or cause.
What can manufacturers do to help prevent this?
They could ship their products without a default password and force the user to enter one. Unfortunately, the number of passwords being set to “12345” is likely going to be high enough that we will still see a sizeable number of breaches. Hardware manufacturers do need to stop shipping hardware that can be reset to factory defaults from a digital connection (a few allow this) and restrict resets to a physical button on the hardware itself. But that is a very small percentage of the offending systems that have this flaw.
Users need to be aware of the security of their belongings and their hardware. We wouldn’t leave for work and leave our front door wide open, so why would we leave our digital doors open? Cover your webcams with black tape when you aren’t using them. Do not give authorization for mobile apps to have access to your phone’s camera. Be certain that you install antivirus software from a trusted vendor on your computers, your tablets, and your phones. Change your passwords on a regular basis. These steps aren’t a guarantee of your privacy being kept safe, but at least they increase your chances in a world rife with privacy and secrecy violations.