Governments' Vow to Take Down Webcam Aggregator Beggars Security Issue

A Website points to more than 10,000 insecure Internet-connected cameras, but efforts to shutter the aggregator ignore a larger issue.

Tech Briefing 1121

The discovery of a Website that displays links to more than 10,000 insecure Internet-connected cameras has quickly led to calls to take down the site, while largely turning a blind eye to the more pernicious problems of poorly secured Web devices.

On Nov. 20, the United Kingdom's top privacy protector, the Information Commissioner's Office, highlighted the existence of a purportedly Russia-based Website that collects links to Internet-connected video cameras with default passwords.

Taking the opportunity to educate users, the ICO stressed that such devices should be secured with complex passwords to avoid allowing online voyeurs to see inside private homes and businesses.

The agency also pledged to take action against the site.

"The ICO is working with other global data protection and privacy authorities on collaborative action connected to the website showing unsecure webcam images, while advising people on the steps they can take to protect their information," the agency said in a statement.

The ICO—and the U.S. Federal Trade Commission, which released a statement later the same day—is late to the game. The Website in question, likely, first started operating during the summer, with the intent of focusing attention on the problem of insecure Webcams.

The site, which remains accessible despite some press reports to the contrary, lists nearly 4,600 viewable cameras in the United States, more than 2,000 in France and nearly 1,600 in the Netherlands. Every camera limits access using only the default password for the device, which can be easily discovered.

Publishing the information is the only way to get people to realize the dangers of not adequately protecting these cameras, the owner of the site said in an email interview with eWEEK.

I "have no idea what could be done to motivate a user to set a password," the owner, contacted at an email address available on the site, said in the interview. "The panic in mass media (sic) is the only answer."

Insecam isn't the only site to list potentially insecure cameras accessible via the Internet. Shodan, a search engine that enumerates open ports on Internet-connected devices, can be easily queried to find likely insecure cameras—nearly 6,000, according to one canned search.

Yet, insecure Internet-connected cameras are only the most recent insecure Internet device that consumers and businesses should worry about. Researchers have scanned and found a large number of vulnerable low-end routers, video conferencing systems and industrial-control devices. While the massive number of vulnerable systems could lead to a botnet of devices, it also allows attackers to more easily compromise specific targets.

The problem will only get worse: The Internet of things is expected to grow to 200 billion devices by 2020, according to some estimates.

The administrator of Insecam is willing to discuss the legality of the site with regulators.

"Nobody asked me to take it down," the owner said. "Why should I do it? I am ready for discussion to make it fully legal."

If the site was located in the United Kingdom, it would be breaching the Data Protection Act 1998, according to the U.K.'s ICO. Principle 1 of the Data Protection Act requires that "personal data be processed fairly and lawfully," the agency said.

Robert Lemos

Robert Lemos

Robert Lemos is an award-winning freelance journalist who has covered information security, cybercrime and technology's impact on society for almost two decades. A former research engineer, he's...