Coming to you live, from unsecured webcams
MORE than 785 webcam feeds from living rooms, bedrooms, offices, warehouses and shops around Singapore are being streamed live on the Internet.
Russian website Insecam.com claims to have aggregated video feeds from over 73,000 webcams from around the world and published them.
The feeds are taken off publicly accessible servers using the cameras' default passwords, which give new users access to the devices. Owners are usually reminded to change the password once they have the cameras up and running.
The feeds are from closed-circuit TV and Internet Protocol (IP) cameras used at home or in the office to monitor activities, and are not from cameras found on laptops, tablets or computers.
While random links to unsecured IP camera feeds have been available online, this is the first time an aggregator has collected feeds from around the world and hosted them on a website.
Most locations from Singapore are single-camera set-ups, although there are several homes and offices with four or eight cameras showing the surroundings.
The site lists the brand of the IP camera, and the default password used to access the feed. It also gives what it says are the geographic locations of the cameras.
Some listings even show the local zipcode, but not the full address of the camera's location.
According to security experts, it is likely that these webcams are not the more secure devices that use peer-to-peer protocols to prevent unauthorised access.
Wana Tun, regional technical evangelist from computer security vendor Sophos, said: "With little security features available on consumer-grade routers, the only security mechanism for these IP cameras is username and password... and these are shipped with a default username and password which anonymous users can obtain easily from the Internet."
The danger is not just with webcams, but also with most network devices, warned Eugene Teo, senior manager of security response at security firm Symantec.
He said: "There are search engines that allow people to do an online search for Internet-enabled devices ranging from security cameras to cars, home-heating systems and more.
"Although the search engine does not reveal vulnerabilities, it makes it easier for the devices to be found, which cyber criminals can then target and exploit."
According to online magazine Motherboard, which first reported on the Russian site last month, the alleged administrator of Insecam claimed that the site was meant to highlight poor user security and is not a tool for voyeurs.
The site's frequently asked questions page states that webcam owners can ask for their feed to be taken down. As of yesterday morning, several local feeds on the site have gone dark, while some no longer load.
To prevent webcams from being identified or accessed, IP camera makers recommend that owners change the password and not host the feeds on websites.
Jonathan Quek, product marketing director for camera-maker D-Link, said: "From our back end, we have ensured that the security is in place. But end users have to do their due diligence to change the password regularly, to enhance the protection."