Research has discovered that more than 15,000 private webcams around the world can be accessed by anyone with an internet connection.
White hat hacktivist, Avishai Efrat from Wizcase, located more than 15,000 webcams posing a significant threat to people’s privacy.
In a post, Wizcase wrote that as well as having the ability to view the webcam footage around the globe, threat actors can manipulate it by editing settings. Many of the webcams have predictable and standard credentials which can be easily bypassed to obtain admin-level access.
Some of the vulnerable devices found include; AXIS net cameras, Cisco Kinksys webcam, IP Camera Logo Server, IP WebCam, IQ Invision web camera, Mega-Pixel IP Camera, Mobotix, WebCamXP 5 and Yawcam.
The devices mentioned above are at risk of being remotely accessed if no additional security measures are implemented after installation.
Thousands of these exposed devices are located around the world, and compromises data belonging to families, businesses and individuals. Through tests, the researchers at Wizcase were able to access cameras inside the offices of private family homes, living rooms, and could even see people on the phone and children looking at the camera.
Researchers are unable to know who owns the device through technical information alone, however through the context from the videos, and in some cases where researchers have admin access, they can find both user information and the approximate geolocation of the device, which subsequently allows researchers to identify who the device belongs to.
Wizcase explained why the cameras are accessible:
“In basic terms, using port forwarding means making the camera accessible through your computer’s external IP (your router). This is usually done automatically using a set of network protocols called UPnP in order to avoid technical manual configurations.
“This is the step which basically makes the device accessible from the external network using a defined port on the external IP (a number which signifies a communication endpoint for a specific service for an IP, e.g. 10.10.10.10:1234) and it’s required in order for users to connect to the device remotely. Without further precautions such as password authentication and IP/MAC address whitelisting, this is insecure.”
Many devices are created to make sure the device installation runs seamlessly, therefore as a result some devices have open ports with no authentication mechanism set up.
“Without further precautions such as password authentication and IP/MAC address whitelisting, this is insecure.”
Jan van Vliet, EMEA VP and GM at Digital Guardian said:
“It is foolish to assume that just because we purchase an IP-enabled device and add it to our environments that the device in question is secure or that our networks are secured to the point of mitigating unwanted/unauthorised bi-directional communication and control.”
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.