ICO warns that Russian website allows webcam/baby monitor feeds to be watched online

ICO warns users to change their default passwords to avoid webcam spying.

ICO fines Northern Ireland Govt Agency £185,000
ICO fines Northern Ireland Govt Agency £185,000
IThe UK Information Regulator - the ICO - has warned about a Russian website that allows Internet users to watch live footage from insecure webcams, baby monitors, security cameras and CCTVs in the UK.

What is interesting about the site is that it appears to auto-select the default admin password for each piece of kit it interrogates, effectively `joining the dots' on a process that has been known to hackers for some time.

Because of the site, the ICO has warned UK citizens of the danger of not using strong passwords - and has urged them to change their default password as soon as possible.

Chris McIntosh, CEO OF ViaSat UK, said that the existence of the website - and the fact people's private lives are being broadcast on the internet - demonstrates that increased connectivity means cyber security is now an all-encompassing problem and the message on the need for robust data protection is still not getting through.

"Technology is only as good as the people that use it and the public needs to do its part by not leaving the door open to malevolent third parties. Using the default password on a consumer device is asking for trouble and was clearly demonstrated during the `phone hacking' scandal of 2011 when journalists accessed celebrities' personal messages through using default passwords for different mobile networks," he said.

"On the other hand, changing this to something as simple as `password1; and using this over and over again between multiple devices isn't much better - passwords need to be hard to guess and changed regularly to be effective," he added.

McIntosh went on to say that another example that shows this is that the FBI was recently able to access a notorious hacker's computer because they used their cat's name as the password.

Internet of Things


"In the future with the `Internet Of Things' connecting almost all consumer devices to the Internet, practically any one will be at risk of being hacked or accessed by third parties so a robust approach to IT security needs to be put in place now and become second nature if we are to avoid cases like the Russian site being commonplace in the future," he explained.

Tony Marques, a cyber-security consultant with the Encode Group, picked up on the fact that the use of default passwords to access connected kit on the Internet is not that new and issue.

"IP webcams exposed to compromise in this way is not new, but when it gets personal, the issue rightly gets far more attention. However, IP Web cams are just a part of the rapidly emerging 'Internet of Things' encompassing a far wider range of consumer devices - all needing credential-based security. It's a complexity that vendors need to address in a consistent and effective manner for consumers," he said.

Leading analyst Bob Tarzey of Quocirca, meanwhile, questioned the benefit that the Russians behind the website will get from spying on UK Internet users' homes.

Monetising the fraud


The key question, he told SCMagazineUK.com, is how the Russians or other cyber-criminals could monetise a potential fraud.

"I think this story is being over-hyped. How would you monetise such a hack or how would it help perpetrate some sort of hacktivist campaign? As with phone hacking, celebrities should be wary, but for most of us it is reasonably safe to say that our lives are too dull for anyone to spend hours watching what we do in our homes," he said, adding that the only caveat is to think what you expose in front of a web cam - ie your body or bank statement - just in case.

Over at ESET, meanwhile, Mark James, a security specialist with the firm, said it all comes down to the individual to decide where to place the camera.

"Once placed, a decision should be made as to what is made available for online streaming. I totally understand why you would want to stream your front drive or even the alleyway providing access to the back of the house but honestly in what situation would you need to stream your children's bedroom outside of your private residence," he said.

"One of the biggest problems with international boundaries is that the rules are governed by the country hosting the server. It is and always will be the problem with the Internet until changes are made by an organisation with global authority but the chances of that happening are extremely slim," he added.

According to James, the end user needs to be fully aware that a default password exists with easy instructions on how to change it.

"The manufacturer could make a default password and then force the user to change it on first use to something other than itself, but it may drive the cost of the unit up. As for changing the password - the point here is not about how hard or long the password is, it's about not using the default password," he explained.