back to article Webcam hacker pervs in MASS HOME INVASION

Too many people are leaving their internet-connected webcams wide open to silent perverts, the UK's privacy watchdog has warned. The ICO has urged everyone to make sure they've changed their passwords on the devices from the factory defaults, which scumbags are exploiting to spy on victims from afar. The warning follows the …

  1. Lionel Baden

    Why remove it ?

    Is it not better that something like this exists, The worst that can come from this is, that Companies start sending out devices without default passwords / people start learning some basic security measures.

    You only learn to not touch the hot oven, by burning yourself.

    1. Anonymous Coward
      Anonymous Coward

      Re: Why remove it ?

      However unless the site gets WIDELY publicised (like in the tabloids and/or evening news) then the majority of 'victims' will never realise the problem, and the site will just remain a voyeur's wet dream!

      I wonder if the people who sell these things should have more of a duty of care to include clear warnings of the dangers of lax security configuration?

      1. Lionel Baden

        Re: Why remove it ?

        I wonder if the people who sell these things should have more of a duty of care to include clear warnings of the dangers of lax security configuration?

        Which in turn will only happen when things like these happen,

      2. Tom Chiverton 1

        Re: Why remove it ?

        "However unless the site gets WIDELY publicised "

        Was on BBC breakfast, so should make the ten o'clock as well.

        1. Lyndon Hills 1

          Re: Why remove it ?

          Also on the front page of the web site

        2. John Brown (no body) Silver badge

          Re: Why remove it ?

          "Was on BBC breakfast,"

          Just saw it on the local BBC news too. Hackers did it. The Police are looking into to the matter. LOL

          At least the reporter did eventually get to the point that it's the fault of ignorant users retaining the default password rather than the l33t skills of h4Xors.

          (Please note, I said ignorant, not stupid. Ignorence can be cured with education, while stupid is, well, stupid. It's a shame the BBC didn't take the opportunity to educate properly by emphasising the default password thing more. It is part of the BBC Charter after all, let alone their plans to educate the masses in "coding", comming soon(tm)

      3. Anonymous Coward
        Anonymous Coward

        Re: Why remove it ?

        I've saved the link here and I'll be popping it up for everyone to see on my tablet. Wherever I go. Sometimes the only way to get the point across requires the metaphorical baseball bat.

    2. Anonymous Coward
      Anonymous Coward

      Re: Why remove it ?

      http://insecam.cc/

  2. Chris Miller

    This was big news about 10 years ago (remember johnny.ihackstuff.com - now gone to the great bit bucket in the sky). Glad to see the government is as on the ball as ever.

    1. Elmer Phud

      Yup, and regularly from then to now we get told that these devices are vulnerable.

      There ought to be another news category for the Reg -- 'Haven't we heard this one before . . .' , or 'we told you so . . .'

  3. Anonymous Coward
    FAIL

    Lazy manufacturers (and users as well, but that's not news)...it's so simple to disable the camera while the default password remains the same...

    1. Lionel Baden

      On that note, it would be slightly more altruistic to create a site that went round and turned off all these devices with default passwords. call up support my device keeps turning off ? have you changed the password ... till they want to remove the amount of calls and send out the devices with random passwords.

      Not sure how many people would get upset, but it would do everybody a great favor !!!

      1. Billa Bong

        Ahh, to assume that support are competent

        I dealt with a support team once that before anything could ever be looked into they changed the login password back to it's default so they themselves could log in.

        Me: "Wait, you did what now?"

        Them: "We reset the password back to default. You can change it back once we've finished our investigation"

        Me: "... and you have a mechanism that allows you to do that?"

        Them: "Yes. We find it's the fastest way to resolve customer issues"

        Me: "... Goodbye. *click* *unplug*"

        1. Joe 48

          Re: Ahh, to assume that support are competent

          @BIlla Bong

          This is why I run a second firewall (IPfire) in front of my home LAN as I don't trust my ISP!

          1. Anonymous Coward
            Meh

            Re: Ahh, to assume that support are competent

            Isn't that pretty standard?

        2. Jagged

          Re: Ahh, to assume that support are competent

          I wouldn't mind knowing what company/product that was for?

          1. Anonymous Coward
            Joke

            @Jagged

            All of them... ;)

        3. Technological Viking

          Re: Ahh, to assume that support are competent

          Comcast (yeah, I'll name names) noticed and then outright admonished me for changing the default username and password for a small *business class* router while I was on the phone with a technician to troubleshoot a tunneling issue. It's disappointingly common for manufacturers and support groups to pretend like using their default username and password both set to "login" for longer than 30 seconds after turning the device on is an acceptable practice.

      2. Simon Harris

        "create a site that went round and turned off all these devices with default passwords."

        At least in the UK, that might well fall foul of Section 3 and/or Section 3A of the Computer Misuse Act (1990)

        1. Destroy All Monsters Silver badge
          Trollface

          At least in the UK, that might well fall foul of Section 3 and/or Section 3A of the Computer Misuse Act (1990)

          But if done from Russia you would just get some pornographic moaning about "Russian invasions" from the PM and sophomoric snarkiness on Twitter from the Ministry of Foreign Affairs, all of which can just be relegated to the background noise of Modern Living.

    2. Amorous Cowherder
      Facepalm

      Yep, grab yourself a copy of NMAP and do a scan on the range of IPs just outside your own "frontdoor" from your home connection and you'll find a treasure trove of goodies sitting connected directly to the internet. A quick Google search for the default logins on these devices and you're in. Tragic state of affairs by lazy manufacturers.

  4. goldcd

    Hmm.

    Not *just* default passwords.

    Normally if I plug something random into my home router if I leave stuff defaulted, then it's stupidly configured, but only accessible to me, in my house.

    Can only speak for the Foscam cameras, but these 'helpfully' expose themselves to the external world by punching through my router, and assigning themselves a guessable dynamic IP domain.

    1. Trevor_Pott Gold badge

      Re: Hmm.

      "Normally if I plug something random into my home router if I leave stuff defaulted, then it's stupidly configured, but only accessible to me, in my house."

      IPv6 wishes to solve this for you.

      1. Ken Hagan Gold badge

        Re: Hmm.

        "IPv6 wishes to solve this for you."

        Indeed it does. Under IPv4, devices (and games, and whatever else) need to "punch holes in your router" and so many people simply enable the "let devices punch holes in my router" feature in their router. (Well, probably not. Actually, many people simply do nothing because their ISP pre-configured the router with this "on" in order to reduce its customer support burden.) This, however, lets *any* device punch holes, not just the one or two that you wanted.

        Under IPv6, there's no need for such a feature to exist in your router, so people will get into the habit of using the router's firewall configuration instead and that ought to result in exceptions being made on a case-by-case basis.

        1. Trevor_Pott Gold badge

          Re: Hmm.

          "so people will get into the habit of using the router's firewall configuration instead"

          Ivory tower bullshit that is completely out of touch with reality.

          1. Ken Hagan Gold badge

            Re: Hmm.

            "Ivory tower bullshit that is completely out of touch with reality."

            So what are they going to do instead?

            Option 1: Vendors will design routers with a big off-switch on the firewall so that every device on the LAN side is directly addressable. Result: said vendors' customers are totally raped and burned within minutes of switching the device on and the vendors, along with any ISP daft enough to foist such crud on Joe User faces lawsuits for apocalyptic levels of negligence.

            Option 2: Vendors implement UPnP for IPv6, or its moral equivalent. A daft idea, but no less secure than implementing it for IPv4. In both cases, a device (or malware running on the device) on the LAN side is able to bypass whatever firewalling restrictions are in place without the user's knowledge. In neither case, can an external host force its way in without help from the LAN side.

            Option 3: What I said.

            1. Trevor_Pott Gold badge

              Re: Hmm.

              Options 1 or 2 will occur. Just because Option 3 is the right thing from an engineer standpoint or an IT policy standpoint doesn't mean it will occur. People don't want to learn about how computers work. They just want the fucking things to work.

              "What you said" - that people will learn about firewalls and learn to configure them - will not occur. Will not. History informs us pretty well about these things. People gleefully use tools they don't fully understand all the time. The more complex it is, the less time they spend learning it, unless it is their actual job (or a personal hobby) to learn about it.

              And, to be blunt, IT is a really bloody boring hobby.

              1. gotes

                Re: Hmm.

                And, to be blunt, IT is a really bloody boring hobby.

                I've been an IT hobbyist since childhood, and subsequently an "IT professional", and I actually find it very interesting! A lot of hobbies will seem boring to people who aren't interested in them.

                1. Kiwi
                  IT Angle

                  Re: Hmm.

                  And, to be blunt, IT is a really bloody boring hobby.

                  I've been an IT hobbyist since childhood, and subsequently an "IT professional", and I actually find it very interesting!

                  I used to be a hobbiest. Then I became a pro. Now I wish I'd never heard of computers.

          2. P. Lee

            Re: Hmm.

            Any time you want to host a service, you'll run in security problems, especially if running cheap kit.

            However, IPv6 does allow at least the possibility that you can set up a sensible firewall ruleset, partition your network for DMZs etc., on a residential system.

            It doesn't solve the problem of poor security on a the end device of course. That's why we use VPNs.

            I've noticed at least some progress already with wireless segregation being offered on lower-end devices.

        2. Fluffy Bunny
          Joke

          Re: Hmm.

          "Under IPv6, there's no need for such a feature to exist in your router, so people will get into the habit of using the router's firewall configuration instead"

          I would love to sell you my nice shiny bridge. Just one previous owner.

      2. Mage Silver badge

        Re: Hmm. IP6

        Except IP6 will not solve it

        The companies marketing Internet of Things only care about Shiny and not Security.

        Web [In]Security cameras.

        Analogue and Digital Wireless Alarms.

        I'll stick to coax baseband video for Cameras and 4 core cable with tamper connection for all alarm sensors.

    2. Justin Pasher

      Re: Hmm.

      In additional to the "convenient" dynamic DNS supported by Foscam devices, some devices will attempt to use UPnP to dynamically forward ports to the camera/NVR device. If your router supports this by default (for example, the ActionTec provided for Verizon FiOS), the device can (unbeknownst to the end user) make itself accessible to the outside world.

      I've had this experience with a Q-SEE NVR (although I had read the included "quick setup" guide that mentioned how to access it remotely, so I knew it was doing that). Although changing the default password will "lock it down", it is still a bad idea for the default setting to be "punch holes in my firewall". Come to think of it, I don't even know if the NVR HAD the ability to disable UPnP

  5. Jediben

    Where is the harm (no matter how ill-perceived the media wish this to sound) in any of these situations? The cameras are in place for a reason and even in public locations such as gyms etc there should be an expectation that the camera is on and SOMEONE can see it.

    I have IP cameras at home to view my pets while I am away, and I can tell you half a dozen places where I would expect privacy for both myself and them and so HAVEN'T placed cameras there:

    1. The bedroom.

    2. The toilet.

    3. The other toilet.

    4. The cupboard under the stairs.

    5. The Jacuzzi

    6. The secret underground lair beneath the dormant volcano

    Even if evil kiddy fiddlers can catch an eyeful of a blurry 320x480 image of a 7 month old sleeping in a crib in terrible IR mode, so what? You won't be able to tell the location of the household, or learn PIN number of the father's bank account!

    Of all the situations where a password has been left as default, I can think of a lot worse!

    1. Tom Chiverton 1

      "You won't be able to tell the location of the household"

      They have the IP address. That's enough to geolocate it almost exactly.

      1. Simon Harris

        Geolocation (with some additional detective work) may make a good guess if the address is associated with a company with a registered domain name (at work, it knows who I work for, but not which site I'm on). For a home user plugged into an ISP, when I've tried it, it identifies the provider, but the location it suggests is usually only somewhere within a 50 mile radius of where I actually am.

    2. hplasm
      Happy

      "4. The cupboard under the stairs."

      Why- Are you keeping a young wizard in there?

    3. Anonymous Coward
      Anonymous Coward

      Err?

      Ever heard of IP tracking and tracing?

      The bad guys will know that ISP you use via tracert etc. Like the Cops etc, you can be traced to a specific address especially if like a lot of us IT people we have fixed IP addresses.

      No enabled cameras in my place. All the laptops have black tape over the cameras just in case.

      1. Jediben

        Re: Err?

        Better put a camera outside my front door so that I can see the nasty Russians coming up the path when they decide that my sofa is worth breaking into my house to nick then! Heaven forbid the cat is verbally abused by a 14 year old Moscovian school child through the in-built microphone. PERSPECTIVE people. People should be far more concerned about their neighbours, close relatives, the plod and teachers abusing line of sight into their lives than a camera they have placed themselves.

      2. Muscleguy

        Re: Err?

        A traceroute on this IP address says it is located close to Virgin media's HQ instead of somewhere in Eastern Scotland where I really am. So, it depends on who your ISP is it would seem. I fully expect the spooks can find out but they would either have to make Virgin tell or like in the US GCHQ might well have a backdoor to more easily facilitate such things.

        1. Asylum Sam

          Re: Err?

          Yea but tracert is pants, , ,give this a try in ffox (click the ''test the location service by clicking here'' link) and see if you're still located near virgins HQ

          http://samy.pl/mapxss/

          1. Anonymous Coward
            Anonymous Coward

            Re: Err?

            Doesn't seem to do anything at all?

          2. Martin-73 Silver badge

            Re: Err?

            Thinks I'm in the ocean off the coast of west africa, and if I enter my router's mac address, it spews forth an html 404 error page as plain text all over where the useless map was...

          3. Kiwi

            Re: Err? @ Asylum Sam

            Yea but tracert is pants, , ,give this a try in ffox (click the ''test the location service by clicking here'' link) and see if you're still located near virgins HQ

            http://samy.pl/mapxss/

            Well... Interestingly close... Only a few streets away.

            Oh, and I used the company IP, with the company address plastered all over the web server (the web server is located within the company's building).

            Close enough that I might know someone in the area (I don't), but far enough away I probably wouldn't even hear of an armed offenders callout in the area.

            No where near close enough to worry about.

            Found this site I think through an El Reg comment some weeks back. Have looked closely at cameras in my area, identified and notified those I can, some have taken notice some haven't. Many I don't have a clue where they are, even where I can see some of the surrounding countryside.

            It is a risk, but it is not as great a risk for some as some would have you believe.

            1. AlbertH
              Mushroom

              Re: Err? @ Asylum Sam

              No where near close enough to worry about.

              Within a few streets? Close enough for a small tactical nuke, then!

            2. Kiwi

              Re: Err? @ Asylum Sam

              Found this site I think through an El Reg comment some weeks back.

              Actually, in interests of accuracy and belatedly replying to my own posts for a change, I actually found the site as a result of a look through my web server logs or web stats. Spent a while a) letting people know and b) trying to ID those places local to me.

              I also see it seems to be back up again, although th enumbers are much lower than I recall.

              Good luck to him.

    4. Joe 48

      Not for me thanks....

      @Jediben

      IP geolocation would worry me, not hard to locate someone from IP and getting more accurate all the time.

      Add that to cameras around my house so they can instantly work out blind spots. Like the bathroom windows.

      You can think of a lot worse with default passwords? I can't, leaving my home and family vulnerable is much much worse imo.

      General non technical peoples ignorance I can understand, but you seem to grasp the problem, and yet still choose to ignore it. That imo is even worse!

      1. Jediben

        Re: Not for me thanks....

        Did I say I haven't changed the default password? No I didn't. My devices are secured thank you.

        The problem is not ignored, the problem has been evaluated and determined to be of insignificant threat.

        Here are a few things where default passwords are worse than on an IP camera:

        1. Cable modems/ADSL modems/Routers. (MITM attacks, dodgy DNS you name it)

        2. Servers of any kind (exploited/used to host unsavoury files/keylogging etc)

        3. ATMs (steals money from the bank)

        4. Smart Electricity meters/central heating (costs you money, boils the cat!)

        1. Joe 48

          Re: Not for me thanks....

          None of those put my house at risk in quite the same way as providing visual insight into my house.

          Ok, so you didn't say you were running defaults, my bad. But you still imply its not that big a risk, when in fact it is.

      2. Christine Munro Silver badge

        Re: Not for me thanks....

        > "IP geolocation would worry me, not hard to locate someone from IP and getting more accurate all the time."

        Google keeps trying to geolocate my IP address with various rates of unsuccessfulness. My static IP has variously been in Maidstone, Manchester, somewhere in Scotland, Hatfield and Norfolk in the past year or two. I live nowhere near any of those places. Not that I've much worth nicking anyway, and any intruder would be savaged by the cat. She can do a serious moult when she wants to.

        1. Hellcat

          Re: Not for me thanks....

          Wasn't there some panic around the Google email backup streetview cars recording MACs and SSIDs and it being linkable with public IP addresses and MACs meaning public IPs could be easily mapped against a known location, within a WiFi range of around 30 meters? I guess if that's still the case then having a view into a known house would be pretty useful for a would-be burgular.

          Not a worry for me though, my WiFi has always been separate to my router so good luck with that one!

    5. Irongut

      > 4. The cupboard under the stairs.

      Daddy is that you?

      1. Jediben

        Irongut - How did you get the ball-gag off?!

        *Adds more soap to bucket of frogs*

  6. EddieD

    Erm..

    Webcams or Netcams (IPcams)?

    There's an important distinction - my webcam only works with an application and doesn't have a password, my netcam is online on it's own IP (well, NATed) and has a 24 character password.

    All the models I've seen appear to be IPcams.

    (EDIT..and I won't give into paranoia a check it)

    1. Anonymous Coward
      Paris Hilton

      Re: Erm..

      Yep, it took me a good read down the comments before I even twigged what was going on. For a site like El Reg to compound the error in its headline is a rather embarrasing failure. Warrants 20 lashes from a multi-plug power lead and a dozen Hail Adas, at least.

      NETCAMs, not WEBCAMs, OK?

      1. Mephistro
        Thumb Up

        Re: Erm..

        "Warrants 20 lashes from a multi-plug power lead and a dozen Hail Adas, at least."

        (ROFL.)

        For good measure, I'd add 20 genuflections before A. Turing's portrait. And those who don't repent and do their penances will see their geekdom badges publicly removed from them and destroyed, and nobody in these forums will ever invite them to beer again. It's worse than hell! ;-)

        And I totally agree with the confusion between netcams and webcams you pointed out.

      2. Martin-73 Silver badge

        Re: Erm..

        While common usage says you're correct, a camera available via a web address (as these are) is actually more a 'webcam' than the devices usually socalled. Like the hacker vs cracker controversy tho, that one's lost. So yeah, it should have said 'web available webcams' maybe?

  7. Peter Clarke 1

    Anti-spying Device

    Two extremely effective anti-spying devices are available. One comes in 10m lengths in various colours, the other only comes in blue or white.

  8. gerryg
    Facepalm

    Obligatory xkcd reference

    The story on the BBC website repeats the usual tosh about what constitutes a strong password. I don't understand why these "experts" don't look at xkcd for real advice.

    As it says there "Through 20 years of effort, we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess"

    1. Anonymous Coward
      Anonymous Coward

      Re: Obligatory xkcd reference

      " I don't understand why these 'experts' don't look at xkcd for real advice."

      Perhaps because they know that "it's a bit more complicated than that" (*)

      https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html

      http://robinmessage.com/2014/03/why-bruce-schneier-is-wrong-about-passwords/

      (*) With apologies to Ben Goldacre

      1. Lionel Baden

        Re: Obligatory xkcd reference

        @AC

        Yeah but now i Cant use "Batterystaple" !! somebody else has already used it !!!

      2. Anonymous Coward
        Anonymous Coward

        Re: Obligatory xkcd reference

        To add to the XKCD example, I know of a few businesses using completely (for all intent and purpose) random very long string passwords for all their equipment. Passwords so long no human could ever remember them, so they are all written down on the doors of cupboards and the devices themselves.

        Oh, your thinking it's ok as physical access is needed before someone gets that password? Well it's the pass to the public access internet wifi, so everyone else there has the pass written down so they can connect the countless devices needed for work, let alone to get some youtube vid at lunch time...

        So the question is, why not just make it "opensaysme" as it would be just as effective...

    2. NumptyScrub

      Re: Obligatory xkcd reference

      Adding uppercase, numbers and other characters to "correct horse battery staple" increases the entropy even further, though. Even just adding caps and common substitutions adds 4 bits per word, meaning 60 bits of entropy instead of 44.

      260 is 36,533,877 years at 1000 guesses per second, rather than 550 years for a "mere" 44 bits of entropy.

      Using multiple words is (as demonstrated) far more effective than a single word, but you should always be using multiple character types if you want to maximise entropy on a password ;)

  9. pryonic

    The solution here is the same one as was used back in the day when you could hop of 90% of home WiFi routers because the WEP / WPA was not enabled by default and even set up port forwards because 99% of the unsecured routers had a default admin password:

    Ensure the default password is random, possibly based on the mac address, rather than using a default one! Then stick a sticker on the product (just like routers have these days) giving the password. If Russian hackers have physical access to your house you have bigger problems!

  10. Simon Harris

    "Steamed footage available through the site"

    Presumably that will be from the Cambridge University Trojan Room Coffee Machine.

    1. Crisp

      Re: "Steamed footage available through the site"

      Website reports an error code of 418.

  11. jaycee331
    Happy

    Couldn't help but chuckle

    paragraph 3 : "Steamed footage available"

    1. Cynic_999

      Re: Couldn't help but chuckle

      It is a perfectly obvious typo. Should have read "steamy" of course.

  12. Anonymous Coward
    Anonymous Coward

    Post-it notes are your friend.

  13. Efros

    And this is a new thing??

    Only news because a news outlet has "discovered" this. These camera "hacks" have been around for a long time, fault can, as others have said, be laid squarely at the door of manufacturers and users.

    1. no-one in particular

      Re: And this is a new thing??

      I can't recall enough to locate the article, but I read about this stuff more than ten years ago, including a set of convenient Google searches to help you find these cameras. I was reading some dreadful rag website called "The Register".

      1. Woodgar

        Re: And this is a new thing??

        Used to be callled gooledorks I believe. Also used to be able to find all sorts of other interesting stuff, but I believe Google tightened up on this.

  14. frank ly

    Opportunity knocks.

    Do you spend too much time at work checking that your dog isn't peeing on the sofa? Are you worried that your babysitter might be getting stoned/jiggy with her boyfriend? Do you suspect that your neighbour has been letting your car tyres down a little bit every evening? Can't you sleep at night for fear that your corner shop is being ransacked?

    Then worry no more! For only £10 a month, our trained operatives across seven different time zones will watch your webcams for you and send tailored 'scenario alerts' (see previous paragraph) according to your requirements.

    In this modern interconnected world, someone is watching you all the time but it makes sense to have it done properly, by professionals who are working for you.

    1. Jediben

      Re: Opportunity knocks.

      A decent IP camera will actually have motion detection and can be configured to send an automatic email to an address of your choosing. I am afraid your enterprise is a decade too late! :(

      1. MrXavia

        Re: Opportunity knocks.

        Maybe, but motion detection on even the most expensive cameras is pretty bad....

        And they are terrible in changing light conditions... sure ok if your indoor curtains closed, but useless outside..

    2. Asylum Sam

      Re: Opportunity knocks.

      Someone already thought of it, tried it, failed.

      https://www.facebook.com/InternetEyes

  15. JimmyPage Silver badge
    Boffin

    Of more interest ..

    is the league table of open cams - assuming the ration of open/secured cams is fairly location independent then:

    US: 4591

    France (?): 2058

    Netherlands: 1756

    Japan: 870

    Italy:679

    UK:584

    Curious as to why France - with a vaguely similar population to the UK has 4x as many unsecured cams, for a start. And the Netherlands, with a quarter the UKs population, but 3x as many cams ?

    I really need to get out more.

    1. Anonymous Coward
      Anonymous Coward

      Re: Of more interest ..

      Curious as to why France - with a vaguely similar population to the UK has 4x as many unsecured cams, for a start.

      A number of French ISPs offer camera surveiilance for domestic security, by plugging a USB webcam into the router, for example an Orange Livebox, so that you can monitor it from elsewhere. I would guess that increases the likelihood of people trying it.

    2. Anonymous Coward
      Anonymous Coward

      Re: Of more interest ..

      Re: the Netherlands, perhaps Amsterdam has something to do with it?

  16. Ben Norris

    Shame that this is widely being misreported as hackers snooping rather than users leaving them unprotected. The message that there is something easy that they need to do about it has been lost from the headline.

  17. Jedit Silver badge
    Joke

    Insecure cameras

    Are those cameras that ask you if your bum looks big in the picture?

  18. Anonymous Coward
    Coat

    Point camera at ceiling/blank wall when not in use.

    THERE!! PROBLEM SOLVED!!

    My coat with the Anti-tracking liner.

  19. Jim 59

    Nuke your webcam from orbit

    It's the only way to be sure.

  20. Avatar of They
    FAIL

    Don't get it.

    Two things spring to mind with all this.

    1. Everyone has welcomed a piece of kit into their front rooms, that does watch your sofa and does listen to all the kind of conversations you have in much better quality than the average CCTV, that is secured by someone other than you and you can't change it, have no control over it and it is always on, with possible recording, and filming. Which goes to an unknown location where people you don't know can do what they want. And it is all legal because it is called Kinnect and M$ sell it. But Skype, Facebook, Snapchat, Instagram, EA (EULA and in game cameras) and the like are all to blame for similar data retention and eavesdropping possibilities for far less effort. Not to mention my Samsung Smart web accessible TV with hand gesture camera that films all the time.

    2. Our UK government have basically made eavesdropping legal for any state sponsored or "in any way possible put a link to a legal entity here" type company. With DRIP and digital economy bills.

    Don't need tin hats, five-eyes alliance handbooks and conspiracy theories to know all this, so why is this website anything different?.

    Ahhhhh it is a Russian website, and the doom mongers will have us believe the cold war rattling is going on.

    Now it makes sense.

    1. Anonymous Coward
      Trollface

      Re: Don't get it.

      " Kinnect "

      Isnt that some sort of toy???

  21. Anonymous Coward
    Anonymous Coward

    Long pswd

    A cheap security DVR I use limits username and password complexity, I can't think why.

    It also expects to use UPNP, and has a helpful DDNS entry (not able to be removed) waiting to stream data on a known address as soon as you show it a net connection.

    I really am surprised this sort of thing has not got wider exposure before.

    Hey don't pull that face it's just a comment!

  22. Zog_but_not_the_first
    Facepalm

    Say "Hi"

    "Internet of things", meet the general public.

    What can possibly go wrong?

  23. TheWeddingPhotographer

    Default passords

    Simple - don't have one factory shipped... Require the user to set one before the device will work

    1. Phil O'Sophical Silver badge

      Re: Default passords

      Sadly the result of that will be poor reviews on Amazon for being "hard to set up", and people will go elsewhere for the easy "works right out of the box" option.

      1. Ken Hagan Gold badge

        Re: Default passords

        I don't think "hard to set up" is the problem. It would be pretty easy to rig the camera so that it trusts the first person to connect to it but insists that they set a password before they get any video data. That's going to be simple enough that it will fit on a single side of paper, in big letters, just above a single paragraph that points out the wisdom of making sure that everyone else cannot use the camera as easily as you can.

        For the terminally dumb, there is probably also space on this piece of paper to draw a picture of a foreign-and-pervy-looking bloke spying on the lady of the house padding about the house in her undies.

        Get it right and you'll get *positive* reviews on Amazon.

  24. Stevie

    Bah!

    Tsk! Russians again. Can no one stop these digital dastards?

  25. Anonymous Coward
    Anonymous Coward

    Russian Website???

    Shirely it's the cameras themselves that are hosting and all any "website" is going be is just a page of embedded video links.

    Also why is this news? - the script kiddies have been typing inurl:"ViewerFrame?Mode=" into google for years.

    1. Anonymous Coward
      Anonymous Coward

      Re: Russian Website???

      Yes, but then you end up sitting and watching traffic pass sedately through an intersection in a country you'll never visit...for hours.

  26. spacecadet66

    Or if all the above is too crazy technical for you, stick a piece of tape over the lens. Painter's tape will come off, when you WANT to cam, without leaving stuff on the lens.

    Or get your grandma to knit you a webcam cozy. Any of you are welcome to this potential billion-dollar business idea.

  27. Anonymous Coward
    Anonymous Coward

    didn't wired or ars do an article on this last month?

    I think the author located one of the businesses that had an accessible camera and called them, only to be bitched at for bringing it to their attention. IIRC, it was in a pizza joint in NJ.

    EDIT: or was it nytimes.com? I don't remember.

  28. Will Godfrey Silver badge
    Happy

    No Problem

    I don't have any net connected cameras in my home. Indeed, the only camera I have is a 12 year old Olympus

  29. roger stillick
    Unhappy

    Where is "Security for Dummies" ??

    IMHO= i blame the folks selling this stuff, all this internet enabled stuff (internet of things) with the caveiat of "Dont Worry, We'll take care of you", and not providing even the simplest of instructions on how to provision, verify operation, and troubleshoot this stuff (after all, we dont want to scare a potential customer)...

    So where is my "Security for Dummies" book ?? the last book on security i got at Powell's is 3 1/2 in thick and not in any way usefull to work on any internet of things device...We simply have nowhere to turn as users of this stuff, and now we are told to simply 'do it'...Thanks - but - No Thanks, i do not have enough info to allow me to actually 'do it'...RS.

  30. Christian Berger

    This is one example of the difference between...

    ...an "informed Society" and an "information Society".

    An "informed Society" would have people knowing the basics about networking and default passwords, they would then configure their devices accordingly and perhaps even ban them from accessing the Internet.

    An "information Society" simply outsources all of those things to the manufacturer and expects it to somehow magically make everything secure with a cloud service.

    An "informed Society" uses data networks to exist, an "information Society" can only abuse them.

  31. Wombling_Free

    Austfailian media report is fail.

    I heard this on the morning radio news in the car - and it was on the ABC, not one of the shite paid-for-comment commercial stations:

    Austfailian Government Minister all a-bluster about this DIRTY PERVY HACKING by those HORRID RUSSIANS.

    uh, right.

    I did not know entering a search in Google now qualifies as 'hacking' in Austfailia; I guess it's just another one of those ways they will round up all the dissidents before the next "election".

  32. Anonymous Coward
    Anonymous Coward

    Visit this site you can see:

    http://www.domainvader.com/insecam.com

    fb:admins 1560519777

    fb:app_id 351673164979930

    This page (now removed, shows original in Google search) identified the same fb:app id and Google analytics code UA-56828935-1:

    https://www.google.de/webhp?ie=UTF-8#q=56828935-1+351673164979930

    Click on the fb:admin and see where it takes you to:

  33. Gustav91

    Safer Remote Access

    I think safe remote access is going to be a big thing in the next couple of years. Home autmation is increasing and with this more and more critical services will be reachable over the internet.

    How do you guys set up your dnymanic DNS service to make sure no one tampers from outside your network? I've been using for a couple of week now the free service from www.desec.io as they have some extra security for ther DDNS service.

    I think they are among the first who offer security features, like DNSSEC signing for all records, as well as SSH-Fingerprints and PGP-Keys.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like