The news: How would you feel if you found out a live stream of your bedroom had been airing online for weeks?
The website Insecam is doing just that, streaming footage from approximately 73,000 Internet-connected IP cameras around the world. The majority appear to be from cameras running default security settings (like using “admin1” or “password” as a password).
In just a few minutes of browsing, users can find live footage from locations as varied as stores, parking lots and the interiors of countless private residences. One particularly unsettling feed appeared to be aimed at a bed.
It is pretty terrifying.
What’s going on here? IP cameras differ from closed-circuit television (CCTV) models because they stream footage directly onto a network without having to connect to a recording device or control network. They offer major advantages over older technology, including the ability to record multiple feeds at the same time and at much higher resolution. Many are streamed over the Internet for the convenience of buyers. Ars Technica’s Tom Connor explained the problem in 2011:
Once an IP camera is installed and online, users can access it using its own individual internal or external IP address, or by connecting to its [network video recorder] NVR (or both). In either case, users need only load a simple browser-based applet (typically Flash, Java, or ActiveX) to view live or recorded video, control cameras, or check their settings. As with anything else on the Internet, an immediate side effect is that online security becomes an issue the moment the connection goes active.
The central system monitoring the feeds might be secure, but often the cameras are not — either because they don’t support passwords or because the user neglected to change the default one. This means that remote viewing pages set up by the cameras are essentially open game to anyone who knows enough about search engines to find them.
For example, a standard Google search for “Axis 206M” (a 1.3 megapixel IP camera by Axis) yields pages of spec sheets, manuals, and sites where the camera can be purchased. Change the search to “intitle: ‘Live View / – AXIS 206M,'” though, and Google returns 3 pages of links to 206Ms that are online and viewable.
Insecam seems to be using similar techniques to aggregate as many of these cams together as possible. While some are obviously meant to be publicly available, others appear to have been illegally accessed — as admitted on the website’s homepage, which says it has “been designed to show the importance of the security settings.” But from the ads littering the homepage, it may just be an opportunity to profit off of voyeurism.
Isn’t this illegal? In the case of the cameras accessed using default passwords, of course. Attorney Jay Leiderman told Motherboard that Insecam “is a stunningly clear violation of the Computer Fraud and Abuse Act (CFAA),” even if it is intended as a PSA. “You put a password on a computer to keep it private, even if that password is just ‘1.’ It’s entry into a protected computer.”
But who’s going to stop it? Gawker reports the domain name appeared to be registered through GoDaddy to an IP address in Moscow, meaning they’re unlikely to be tracked down. Meanwhile, the alleged anonymous administrator of the site insisted to Motherboard that the scale of the problem warranted dramatic action — and that an “automated” process was adding thousands more each week.
Hopefully, authorities will take action to bring Insecam down. But in the meantime, this should be a reminder that password security is no joke.