Many people have webcams installed in and around their house. For a Houston mother, the security that the cameras inside her house brought her was instantly turned into a nightmare recently.
Another mother, in Oregon, was looking at satellite feeds of earth with her son when they started looking for more images. They came across an app called Live Camera Viewer.
They downloaded the app and opened it. As they scrolled through the images, they came across a feed that was labelled as being from Houston. It was a feed from inside two little girls’ bedroom.
The Oregon mom, horrified, posted a screenshot of the bedroom on a Facebook group for Houston moms, hoping someone would recognize it.
A friend of the Houston mom did recognize the bedroom and notified the mom who’s camera had been hacked.
After getting the app information, the Houston mom found the feed and saw that it had been “liked” over 500 times, meaning at least that many people had watched the feed, probably a lot more.
The good news for her is that someone in Oregon was freaked out enough that she reached out on Facebook and the Houston mom was able to find out about it and turn off the cam.
The article said that the camera was hacked, but that may or may not be true. Many people do not change the default userid and password, so if someone found the address of the camera and tried the default password, is that hacking?
Even if the owner did change the password, people often pick really hard to guess passwords. Remember, the two most common passwords are password and 123456, so even if people do change the password, it often is not hard to guess.
And remember my post from a few weeks ago where Rapid7 tested 10 web based baby monitor – the one were 10 out of 10 cameras were hackable? Any reason to think that webcams are any more secure? I doubt it.
The app may not have any evil intent. There are tens of thousands of public webcams that are designed for people to view them. Public buildings have them, the Park Service has them – they are all over the place. It sounds like in this case that there isn’t a process in place to vet those cameras before they are placed online. The app is free, so it is not likely that the person who wrote it is going to spend tens of thousands of dollars a year to vet every camera that a user adds to the list.
So what should you do?
Well first, I would really reconsider the wisdom of putting cameras in your kid’s bedroom, especially if those cameras are going to be visible to the Internet, even with a password. If you can see the camera on your phone, it is likely visible on the Internet.
Second, wherever those cameras are pointing, change the default userid and password and make the password complex. No, that does not mean Password1. It doesn’t even mean Pa$$word1. At least you want to make people work for it.
Third, you want to find out how the manufacturer notifies you about security patches and how you install them. If you can find a camera that will automatically check for and install patches, that is probably best. If the manufacturer cannot tell you how the do patches and how often, I would recommend looking for a different camera.
Next, I would change the passwords periodically. How often is a tradeoff between convenience and security, but I would say at least once a year.
Lastly, consider where you are putting those cameras and what a hacker might see if they do get into it – beyond the bedroom question. The outside of your house is bad enough, but private areas of your house ought to be off limits. In your house, do people lounge around the family room in less than public attire? If so, the family room should be off limits to.
If you have the ability to only have the cameras operate when you are not home, that eliminates some of the concern. That would mean that you would need to have a way to turn the cameras on and off – possibly tied into an alarm system.
This Houston mom found out about it hard way – at least you know about it now and can take steps to deal with it.
Information for this post came from ABC News.
A video segment on webcam risks on ABC can be found here.