LONDON (CNNMoney) — A new website based in Russia is streaming video live from thousands of private webcams around the world, including images of babies and hospital patients.
Hackers accessed the cameras by using default passwords set by the manufacturers, British officials said Thursday. Those log-in details are freely available online, leaving the unsecured cameras accessible to anyone.
Many of the cameras have been installed in homes and businesses by people trying to improve security. The owner can use them to monitor their property remotely via the Internet.
But by providing public access to these devices — including CCTV networks in shops and baby monitors — the website is exposing their intimate moments.
The website claims its motive is to draw attention to the problem.
“These cameras are not hacked. Owners of these cameras use default password by unknown reason,” the website says.
A quick browse through the website reveals live streams from nearly 4,600 cameras in the U.S., including video of a baby sleeping in a cot in New Jersey. More than 2,000 cameras have been hacked in France, about 1,500 in the Netherlands, and thousands more in over 100 countries worldwide.
There’s video of a couple having breakfast in France, CCTV footage of an elderly patient lying in a bed in Minnesota, scenes from a beauty salon in Japan, and the view of a playground with a pool and trampoline in the Netherlands.
Each link comes with what the website claims is the camera’s GPS coordinates, postcode, time zone, and a map showing its precise location.
The security concerns are huge.
“Few people would leave their front doors unlocked, yet failing to password protect your devices carries the same risks to both their privacy and security,” said Emma Carr, director of the Big Brother Watch privacy pressure group.
The U.K. Information Commissioner’s Office urged people to change the default passwords to prevent their cameras from being hacked.
Over 14,000 of those devices are made by China’s Foscam. The manufacturer was not available to comment.
Panasonic and Linksys cameras were also affected.
How you can tell and what you can do
So what can consumers do to find out if their privacyhas been violated and to prevent it from happening again?CNN spoke to Andrew Paterson, senior technology officer at Britain’s independent authority on information rights — the Information Commissioner’s Office (ICO) — which issued a warning about the web cams Thursday and Jules Polonetsky, executive director of the Future of Privacy Forum think tank.
How can you tell if your webcam feed has been compromised?
Paterson suggests the first step for concerned consumers should be to check the security settings on their web camera and ensure that their password is not set to default.
“It’s a website that’s republished the feeds from many thousands of unsecured web cams and CCTV cameras. I believe you can view more or less live footage and it looks like one person has automatically scanned the internet for unsecured cameras and then aggregated this information in one site,” Paterson says.
“If you’re particularly interested you could try to find your country, you could try to find the region or city that camera is in.”
The website guesses location based on IP addresses and has a list of countries from where it is publishing feeds, ranking them by number of unsecured cameras discovered. At the time of writing, the U.S. tops the list — with 4,591 feeds, followed by France, the Netherlands, Japan, Italy and the United Kingdom.
What devices are affected?
CCTV cameras and baby monitors are among the devices that feeds have been taken from. But many others could be affected.
“In theory, if you have a web camera and it is interface accessible over the internet, it could be at risk,” Paterson says.
Paterson says in the case of the Russian website it appears that the operator has concentrated on only a few makes.
The worry is that others may also have accessed such feeds, he says: “It appears that the person responsible is trying to raise awareness but it’s possible other people are doing other things.”
Polonetsky says it’s valuable to teach the lesson that web cameras need to be secured but says there have to be better ways than publishing people’s feeds online.
He says similar problems have existed for years.
“Almost scarier is that there are thousands of other similarly unprotected devices on the web. We continually learn about some essential device that is web accessible,” he says.
“There have been some very public examples of smart home equipment that could be accessed remotely,” he says — including devices to raise blinds or turn on lights remotely.
“If you can remotely access something, that means others can remotely access it as well and you need to lock it down — or you’re at risk.”
So what can I do to protect my privacy?
Again, Paterson stresses that having a strong password is critical.
“The one piece of advice I can give is that if you have a camera you should go and check if it’s secured with a password and must double check it’s not the default password,” he says. “Secondly, work out whether you actually need to view your webcam over the internet or not. If you don’t then you might as well turn that feature off.”
While the ICO doesn’t know the Russian website owner’s intentions, Paterson says that as far as it can tell the feeds have not been archived — though they don’t know for certain.
“It looks like if you change the default password and set a strong one it will no longer show up on website — but the owner [on the Russian site] could do anything he or she wants,” he says.
But the same flaw that has allowed this website to access personal feeds, could also have let other online users view your feed — and they may not be broadcasting the fact.
“If you’re able to log in remotely, then others are able to log in remotely. Either ensure that access is disabled or ensure you have a secure password,” Polonetsky says.
Could I seek redress if my camera feed has been accessed?
Polonetsky suggests that delivering a product with a security weakness is “like selling houses without a front door.”
“Actually, it’s worse,” he says. “Here you’re selling things to people who don’t even know there’s not a back door. It’s completely irresponsible — it’s like selling a car without a key piece of safety equipment. These things are not safe to be on the internet.”
Polonetsky says it is possible that sellers of devices without basic data protection would be considered unfair to consumers under the U.S. Federal Trade Commission’s standards.
“It could be considered unfair to sell a product that puts personal data at great risk. It will be interesting to see if any the sellers face action.”
In the UK, Paterson says accessing a computer without authorization could well breach the Computer Misuse Act.
“If you have strong evidence that somebody has compromised your camera you may be able to take it to law enforcement,” he says.
The ICO itself regulates the Data Protection Act. “If the feed from your camera can identify individuals that would be personal data and if someone’s processing that in an unfair or unlawful manner then it could breach the act,” he says.
As the website appears to be Russian-based, however, any potential legal action would require action from the authorities there. The ICO is currently trying to enlist their help to get the website taken down.
