LONDON — Unsecured footage from thousands of webcams around the world — including in the United States and western Europe — has been accessed and streamed by a website thought to be based in the Russian Federation, British officials say.
The website’s operator claims to be republishing the feeds — from sources including CCTV and baby monitors — to highlight security weaknesses.
So what can consumers do to find out if their privacy has been violated and to prevent it from happening again?
CNN spoke to Andrew Paterson, senior technology officer at Britain’s independent authority on information rights — the Information Commissioner’s Office (ICO) — which issued a warning about the web cams Thursday and Jules Polonetsky, executive director of the Future of Privacy Forum think tank.
How can you tell if your webcam feed has been compromised?
Paterson suggests the first step for concerned consumers should be to check the security settings on their web camera and ensure that their password is not set to default.
“It’s a website that’s republished the feeds from many thousands of unsecured web cams and CCTV cameras. I believe you can view more or less live footage and it looks like one person has automatically scanned the internet for unsecured cameras and then aggregated this information in one site,” Paterson says.
“If you’re particularly interested you could try to find your country, you could try to find the region or city that camera is in.”
The website guesses location based on IP addresses and has a list of countries from where it is publishing feeds, ranking them by number of unsecured cameras discovered. At the time of writing, the U.S. tops the list — with 4,591 feeds, followed by France, the Netherlands, Japan, Italy and the United Kingdom.
What devices are affected?
CCTV cameras and baby monitors are among the devices that feeds have been taken from. But many others could be affected.
“In theory, if you have a web camera and it is interface accessible over the internet, it could be at risk,” Paterson says.
Paterson says in the case of the Russian website it appears that the operator has concentrated on only a few makes.
The worry is that others may also have accessed such feeds, he says: “It appears that the person responsible is trying to raise awareness but it’s possible other people are doing other things.”
Polonetsky says it’s valuable to teach the lesson that web cameras need to be secured but says there have to be better ways than publishing people’s feeds online.
He says similar problems have existed for years.
“Almost scarier is that there are thousands of other similarly unprotected devices on the web. We continually learn about some essential device that is web accessible,” he says.
“There have been some very public examples of smart home equipment that could be accessed remotely,” he says — including devices to raise blinds or turn on lights remotely.
“If you can remotely access something, that means others can remotely access it as well and you need to lock it down — or you’re at risk.”
So what can I do to protect my privacy?
Again, Paterson stresses that having a strong password is critical.
“The one piece of advice I can give is that if you have a camera you should go and check if it’s secured with a password and must double check it’s not the default password,” he says. “Secondly, work out whether you actually need to view your webcam over the internet or not. If you don’t then you might as well turn that feature off.”
While the ICO doesn’t know the Russian website owner’s intentions, Paterson says that as far as it can tell the feeds have not been archived — though they don’t know for certain.
“It looks like if you change the default password and set a strong one it will no longer show up on website — but the owner [on the Russian site] could do anything he or she wants,” he says.
But the same flaw that has allowed this website to access personal feeds, could also have let other online users view your feed — and they may not be broadcasting the fact.
“If you’re able to log in remotely, then others are able to log in remotely. Either ensure that access is disabled or ensure you have a secure password,” Polonetsky says.
Could I seek redress if my camera feed has been accessed?
Polonetsky suggests that delivering a product with a security weakness is “like selling houses without a front door.”
“Actually, it’s worse,” he says. “Here you’re selling things to people who don’t even know there’s not a back door. It’s completely irresponsible — it’s like selling a car without a key piece of safety equipment. These things are not safe to be on the internet.”
Polonetsky says it is possible that sellers of devices without basic data protection would be considered unfair to consumers under the U.S. Federal Trade Commission’s standards.
“It could be considered unfair to sell a product that puts personal data at great risk. It will be interesting to see if any the sellers face action.”
In the UK, Paterson says accessing a computer without authorization could well breach the Computer Misuse Act.
“If you have strong evidence that somebody has compromised your camera you may be able to take it to law enforcement,” he says.
The ICO itself regulates the Data Protection Act. “If the feed from your camera can identify individuals that would be personal data and if someone’s processing that in an unfair or unlawful manner then it could breach the act,” he says.
As the website appears to be Russian-based, however, any potential legal action would require action from the authorities there. The ICO is currently trying to enlist their help to get the website taken down.