IP Camera Publications highlights the need to change 'default passwords'
24th November 2014
Blog: IP Camera publication highlights the need to change 'default passwords'.
This week's mass collation and rebroadcast of people's private 'webcams' once again highlights the dangers of leaving default passwords on your networking equipment, as well as providing media headlines and coverage which has exaggerated the scope of the problem.
The web site scanned (searched) the Internet for IP cameras (self-contained webcams). Upon finding one, they then tried the default passwords (e.g. admin/admin) and then catalogued thousands of these webcams. Hundreds of the cameras are in the UK.
Some of the most common applications that IP CCTV cameras are used as for premises security, baby monitors and to keep an eye on elderly people in care, so the images show many sleeping babies and seniors in their rooms. Other images include shops, warehouses, kitchens, living rooms, driveways - everywhere that one might put CCTV. You can also see people relaxing in the 'privacy' of their home, or relaxing at work - many of those people might not even realise they are on camera.
Click the image on the right for a screengrab. We have redacted the images so that no-one is identifiable, but we have chosen to include the images (as thumbnails, not full resolution) as it really does highlight how invasive it is, particularly those sleeping babies, whose parents will be completely unaware. Note that the web site stored and showed static thumbnails - clicking on them would actually access the live feed directly to the camera. To be clear, we screen-grabbed only the thumbnails from the web site; we did not access the cameras or live feeds.
Although other media refer to the images as 'webcams' (and we have heard 'experts' mistakenly refer to built-in or USB cameras on computers), these published cameras are actually stand-alone IP cameras - ones which connect to your network (WiFi or Ethernet), not USB. They provide direct web access and in the case of many these cameras, remote access (from the Internet) seems to be enabled by default. Such settings make the product easier to use, but also make this sort of voyeurism easy.
Whilst this is all very creepy and disconcerting, the web site claims that their motivation is to highlight the issue, to encourage people to lock down their cameras. Remember, these cameras were not 'hacked' - they are opening themselves up to the Internet specifically. Actually, you might argue that accessing as remote system with a password is still 'hacking', but in this case, it does not require any special skills; indeed, some of the most infamous hacks, even on military targets, have been made possible by default passwords being left.
Preventing your IP camera from being accesses is very simple - simply change the default passwords for all users - something we strongly encourage for all networking equipment, and one of the key recommendations of our Best Practice Guide.
That would include the admin password, but many IP cameras have more than one user account, so change them all (or delete ones you won't use). Secondly, if you don't need remote access to your camera (viewing it from the Internet), disable remote access, and also uPnP services on the camera. If you do need remote access, you could also use a VPN to increase security, or lock down the permitted remote IP addresses if they are fixed/known. Also, check if your camera is, by default, advertising itself to the manufacturer's or a third party DDNS (Dynamic DNS) service by default. Such services make it easy to find your camera if you don't have a fixed IP address, but also easy for other people.
Read these recommendations and many others in our Best Practice Guide.
Like this article? Follow us on Twitter (@DraytekUK) or Like us on Facebook (DrayTekUK) to get updates on our latest articles !
- First Published: 24/11/2014
- Last Updated: 07/01/2016
Add a comment to this article
NOTE : All comments are reviewed before publication and may not be posted or may be redacted if the editors do not consider them helpful. The use of offensive or obscene language, copyrighted material, or advertising or promotion or linking to any other product or service is prohibited. By submitting your comment, you confirm that you are the original author and assign copyright of the content to DrayTek indefinitely and irrevocably.