Webcam hacker pervs in MASS HOME INVASION Too many people are leaving their internet-connected webcams wide open to silent perverts, the UK's privacy watchdog has warned. The ICO has urged everyone to make sure they've changed their passwords on the devices from the factory defaults, which scumbags are exploiting to spy on victims from afar. The warning follows the …
However unless the site gets WIDELY publicised (like in the tabloids and/or evening news) then the majority of 'victims' will never realise the problem, and the site will just remain a voyeur's wet dream!
I wonder if the people who sell these things should have more of a duty of care to include clear warnings of the dangers of lax security configuration?
"Was on BBC breakfast,"
Just saw it on the local BBC news too. Hackers did it. The Police are looking into to the matter. LOL
At least the reporter did eventually get to the point that it's the fault of ignorant users retaining the default password rather than the l33t skills of h4Xors.
(Please note, I said ignorant, not stupid. Ignorence can be cured with education, while stupid is, well, stupid. It's a shame the BBC didn't take the opportunity to educate properly by emphasising the default password thing more. It is part of the BBC Charter after all, let alone their plans to educate the masses in "coding", comming soon(tm)
On that note, it would be slightly more altruistic to create a site that went round and turned off all these devices with default passwords. call up support my device keeps turning off ? have you changed the password ... till they want to remove the amount of calls and send out the devices with random passwords.
Not sure how many people would get upset, but it would do everybody a great favor !!!
I dealt with a support team once that before anything could ever be looked into they changed the login password back to it's default so they themselves could log in.
Me: "Wait, you did what now?"
Them: "We reset the password back to default. You can change it back once we've finished our investigation"
Me: "... and you have a mechanism that allows you to do that?"
Them: "Yes. We find it's the fastest way to resolve customer issues"
Me: "... Goodbye. *click* *unplug*"
Comcast (yeah, I'll name names) noticed and then outright admonished me for changing the default username and password for a small *business class* router while I was on the phone with a technician to troubleshoot a tunneling issue. It's disappointingly common for manufacturers and support groups to pretend like using their default username and password both set to "login" for longer than 30 seconds after turning the device on is an acceptable practice.
At least in the UK, that might well fall foul of Section 3 and/or Section 3A of the Computer Misuse Act (1990)
But if done from Russia you would just get some pornographic moaning about "Russian invasions" from the PM and sophomoric snarkiness on Twitter from the Ministry of Foreign Affairs, all of which can just be relegated to the background noise of Modern Living.
Yep, grab yourself a copy of NMAP and do a scan on the range of IPs just outside your own "frontdoor" from your home connection and you'll find a treasure trove of goodies sitting connected directly to the internet. A quick Google search for the default logins on these devices and you're in. Tragic state of affairs by lazy manufacturers.
Not *just* default passwords.
Normally if I plug something random into my home router if I leave stuff defaulted, then it's stupidly configured, but only accessible to me, in my house.
Can only speak for the Foscam cameras, but these 'helpfully' expose themselves to the external world by punching through my router, and assigning themselves a guessable dynamic IP domain.
"IPv6 wishes to solve this for you."
Indeed it does. Under IPv4, devices (and games, and whatever else) need to "punch holes in your router" and so many people simply enable the "let devices punch holes in my router" feature in their router. (Well, probably not. Actually, many people simply do nothing because their ISP pre-configured the router with this "on" in order to reduce its customer support burden.) This, however, lets *any* device punch holes, not just the one or two that you wanted.
Under IPv6, there's no need for such a feature to exist in your router, so people will get into the habit of using the router's firewall configuration instead and that ought to result in exceptions being made on a case-by-case basis.
"Ivory tower bullshit that is completely out of touch with reality."
So what are they going to do instead?
Option 1: Vendors will design routers with a big off-switch on the firewall so that every device on the LAN side is directly addressable. Result: said vendors' customers are totally raped and burned within minutes of switching the device on and the vendors, along with any ISP daft enough to foist such crud on Joe User faces lawsuits for apocalyptic levels of negligence.
Option 2: Vendors implement UPnP for IPv6, or its moral equivalent. A daft idea, but no less secure than implementing it for IPv4. In both cases, a device (or malware running on the device) on the LAN side is able to bypass whatever firewalling restrictions are in place without the user's knowledge. In neither case, can an external host force its way in without help from the LAN side.
Option 3: What I said.
Options 1 or 2 will occur. Just because Option 3 is the right thing from an engineer standpoint or an IT policy standpoint doesn't mean it will occur. People don't want to learn about how computers work. They just want the fucking things to work.
"What you said" - that people will learn about firewalls and learn to configure them - will not occur. Will not. History informs us pretty well about these things. People gleefully use tools they don't fully understand all the time. The more complex it is, the less time they spend learning it, unless it is their actual job (or a personal hobby) to learn about it.
And, to be blunt, IT is a really bloody boring hobby.
Any time you want to host a service, you'll run in security problems, especially if running cheap kit.
However, IPv6 does allow at least the possibility that you can set up a sensible firewall ruleset, partition your network for DMZs etc., on a residential system.
It doesn't solve the problem of poor security on a the end device of course. That's why we use VPNs.
I've noticed at least some progress already with wireless segregation being offered on lower-end devices.
Except IP6 will not solve it
The companies marketing Internet of Things only care about Shiny and not Security.
Web [In]Security cameras.
Analogue and Digital Wireless Alarms.
I'll stick to coax baseband video for Cameras and 4 core cable with tamper connection for all alarm sensors.
In additional to the "convenient" dynamic DNS supported by Foscam devices, some devices will attempt to use UPnP to dynamically forward ports to the camera/NVR device. If your router supports this by default (for example, the ActionTec provided for Verizon FiOS), the device can (unbeknownst to the end user) make itself accessible to the outside world.
I've had this experience with a Q-SEE NVR (although I had read the included "quick setup" guide that mentioned how to access it remotely, so I knew it was doing that). Although changing the default password will "lock it down", it is still a bad idea for the default setting to be "punch holes in my firewall". Come to think of it, I don't even know if the NVR HAD the ability to disable UPnP
Where is the harm (no matter how ill-perceived the media wish this to sound) in any of these situations? The cameras are in place for a reason and even in public locations such as gyms etc there should be an expectation that the camera is on and SOMEONE can see it.
I have IP cameras at home to view my pets while I am away, and I can tell you half a dozen places where I would expect privacy for both myself and them and so HAVEN'T placed cameras there:
1. The bedroom.
2. The toilet.
3. The other toilet.
4. The cupboard under the stairs.
5. The Jacuzzi
6. The secret underground lair beneath the dormant volcano
Even if evil kiddy fiddlers can catch an eyeful of a blurry 320x480 image of a 7 month old sleeping in a crib in terrible IR mode, so what? You won't be able to tell the location of the household, or learn PIN number of the father's bank account!
Of all the situations where a password has been left as default, I can think of a lot worse!
Geolocation (with some additional detective work) may make a good guess if the address is associated with a company with a registered domain name (at work, it knows who I work for, but not which site I'm on). For a home user plugged into an ISP, when I've tried it, it identifies the provider, but the location it suggests is usually only somewhere within a 50 mile radius of where I actually am.
Ever heard of IP tracking and tracing?
The bad guys will know that ISP you use via tracert etc. Like the Cops etc, you can be traced to a specific address especially if like a lot of us IT people we have fixed IP addresses.
No enabled cameras in my place. All the laptops have black tape over the cameras just in case.
Better put a camera outside my front door so that I can see the nasty Russians coming up the path when they decide that my sofa is worth breaking into my house to nick then! Heaven forbid the cat is verbally abused by a 14 year old Moscovian school child through the in-built microphone. PERSPECTIVE people. People should be far more concerned about their neighbours, close relatives, the plod and teachers abusing line of sight into their lives than a camera they have placed themselves.
A traceroute on this IP address says it is located close to Virgin media's HQ instead of somewhere in Eastern Scotland where I really am. So, it depends on who your ISP is it would seem. I fully expect the spooks can find out but they would either have to make Virgin tell or like in the US GCHQ might well have a backdoor to more easily facilitate such things.
Yea but tracert is pants, , ,give this a try in ffox (click the ''test the location service by clicking here'' link) and see if you're still located near virgins HQ
http://samy.pl/mapxss/
Well... Interestingly close... Only a few streets away.
Oh, and I used the company IP, with the company address plastered all over the web server (the web server is located within the company's building).
Close enough that I might know someone in the area (I don't), but far enough away I probably wouldn't even hear of an armed offenders callout in the area.
No where near close enough to worry about.
Found this site I think through an El Reg comment some weeks back. Have looked closely at cameras in my area, identified and notified those I can, some have taken notice some haven't. Many I don't have a clue where they are, even where I can see some of the surrounding countryside.
It is a risk, but it is not as great a risk for some as some would have you believe.
Found this site I think through an El Reg comment some weeks back.
Actually, in interests of accuracy and belatedly replying to my own posts for a change, I actually found the site as a result of a look through my web server logs or web stats. Spent a while a) letting people know and b) trying to ID those places local to me.
I also see it seems to be back up again, although th enumbers are much lower than I recall.
Good luck to him.
@Jediben
IP geolocation would worry me, not hard to locate someone from IP and getting more accurate all the time.
Add that to cameras around my house so they can instantly work out blind spots. Like the bathroom windows.
You can think of a lot worse with default passwords? I can't, leaving my home and family vulnerable is much much worse imo.
General non technical peoples ignorance I can understand, but you seem to grasp the problem, and yet still choose to ignore it. That imo is even worse!
Did I say I haven't changed the default password? No I didn't. My devices are secured thank you.
The problem is not ignored, the problem has been evaluated and determined to be of insignificant threat.
Here are a few things where default passwords are worse than on an IP camera:
1. Cable modems/ADSL modems/Routers. (MITM attacks, dodgy DNS you name it)
2. Servers of any kind (exploited/used to host unsavoury files/keylogging etc)
3. ATMs (steals money from the bank)
4. Smart Electricity meters/central heating (costs you money, boils the cat!)
> "IP geolocation would worry me, not hard to locate someone from IP and getting more accurate all the time."
Google keeps trying to geolocate my IP address with various rates of unsuccessfulness. My static IP has variously been in Maidstone, Manchester, somewhere in Scotland, Hatfield and Norfolk in the past year or two. I live nowhere near any of those places. Not that I've much worth nicking anyway, and any intruder would be savaged by the cat. She can do a serious moult when she wants to.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
