Update 3 November 2014: After the publication of this article, the alleged administrator of the site responded to emails from Motherboard and repeated the claim that the site's purpose is to highlight poor user security. "Only [the website] can prove the scale of the problem," he or she wrote. "This problem was in darkness for many years."
The administrator also wrote that nobody has yet asked to have their camera removed from the site. "Most people still do not know about the problem," one email said. The process for adding cameras to the site is allegedly "automated," with thousands collected each week.
Last week, I sat at my computer and watched a young man from Hong Kong relaxing on his laptop; an Israeli woman tidying the changing room in a clothes store; and an elderly woman in the UK watching TV.
All of these people were completely unaware that I was spying on them, thousands of miles away, through devices that were inadvertently broadcasting their private lives on the internet.
I found them on a website that claims to have the direct feeds of hundreds of thousands of private cameras. There are 152 countries to choose from listed on the site, as diverse as Thailand, Sudan, and the Netherlands. The UK has 1,764 systems listed. The US has 8,532.
This particular website exposes IP cameras. These are external devices typically bought to keep an eye on valuables, act as a baby monitor, or make up a home or business security system. Some of these devices come with a default password that many users do not change, which is how this site is able to access them.
It's all in the name of raising awareness about computer security, the site's creator claims (never mind the fact that the site has ads). "This site has been designed in order to show the importance of the security settings," the page states.
Image: screenshot from the website
The website is one of the latest, and perhaps biggest, examples of a trend wherein security researchers risk people’s personal privacy under the justification of exposing security issues. Although this approach can sometimes force a vendor to act and fix the problem, it can also harm the public at large.
Often when a researcher finds a vulnerability in a device or system, they will notify the affected company, then work with them towards a solution behind closed doors. For example, in May a researcher notified Google and Microsoft about a particular method of delivering malware by tricking users into thinking they were downloading a file from a trusted website. The problem was addressed before the researcher made his findings public.
Usually, these kind of white hat hackers will abide by strict guidelines. "Most responsible disclosure policies used by security researchers derive from the RFPolicy," Shane Macaulay, director of cloud security at IOActive, told me in an email. "The procedures outline ethical ways to handle unresponsive vendors and to disclose to various security forums as a way to shame a vendor and 'get the word out' as well as normal press channels."
These principles aren't in any way binding; they're more suggestions on how to responsibly handle security issues between researchers and vendors, such as keeping in close contact and releasing information to the public at an appropriate time.
But some feel there are times when a different approach is needed. Earlier this year, two researchers released a crucial USB vulnerability into the wild. The attack could load any USB device with undetectable and powerful malware, and there was no quick fix to sort it all out.
I will grant that sometimes there are vulnerabilities that are intractable
So the researchers published the vulnerability details in order to push an entire industry—those who manufacture USB devices—to deal with the problem. This has a downside: with the code posted on Github, theoretically any entrepreneurial criminal could craft a new money-making scheme out of the research, threatening the security of an incalculable number of people.
Matthew Green, assistant research professor at the Department of Computer Science at John Hopkins University, told me in a phone interview that this sort of action is sometimes needed. "I will grant that sometimes there are vulnerabilities that are intractable: you tell people about them, and everybody knows about them, but nobody tries to fix them," he said. "In theory, in those cases, you need to do something that takes it to the next level."
But, in the case of the IP camera site, he said he didn't think that hosting the feeds of hundreds of thousands private cameras is the right way to go about it. “What is different about this is that there are actual victims; that they are individuals,” Green said.
Setting up the website, Green said, “sounds a little irresponsible to me.” That’s if the creator's claims of making the site in order to raise important security issues are even genuine in the first place. “There are a lot of people who pull stunts, and try to make a name for themselves,” Green added. The owner of the site did not respond to a request for comment.
Back in 2012, a similar thing happened specifically with Trendnet cameras. The blog Console Cowboys detailed a critical flaw in these cameras, and someone else eventually created a Google maps style interface for tapping into the cameras at will, allegedly to raise awareness of the issue and force Trendnet to take action. In response, Trendnet notified their customers of an update that would fix the vulnerability.
Image: screenshot from the website
But this new site doesn't target a technical fault and its creator doesn't seem like your regular white hat researcher. Although it lists the different brand of cameras being used (Foscam, Panasonic, Linksys, and IPCamera, as well as AvTech and Hikvision digital video recorders), the weakness doesn't necessarily lie with the manufacturers. At least in part, it’s simply poor password management from the users.
There are a couple of things that the camera manufacturers could do, such as forcing all customers to choose a new password when they setup their device the first time, or shipping all of their cameras with a unique password by default.
Foscam's COO Chase Rhymes told me that they implemented the former over a year ago, once they became aware that their cameras were being accessed because of their default passwords. But, "it was certainly not because of this website," Rhymes said. It was due to a baby monitor being broken into, back in 2013. Foscam was aware of the website before I contacted them, because reporters from the Mail on Sunday had reached out to them when they found the site last month.
"All cameras being manufactured require the user, during the setup process, to change the password," Rhymes said in a phone interview. For cameras already being used, he claimed that an update was released that would force users to change the password. The company also claimed to have contacted customers and retailers by email.
Linksys, meanwhile, first heard of the site from me. The company is "still trying to determine which Linksys IP cameras are referenced on the site," but it believes they are old, out-of-production models. Its newer cameras display a warning to users who have not changed their default password.
The real problem is that the people who are the victims—the people who are being observed—are not necessarily being notified that this is happening
According to the webcam site, if you discover your camera feed and wish to have it removed, you can email and it will disappear from the site. If you don't want your camera to remain exposed in the long term, it recommends that you change your password. But how are you, the person on the other end of the camera, supposed to find out it’s compromised in the first place?
"The real problem is that the people who are the victims—the people who are being observed—are not necessarily being notified that this is happening," Green said.
Even if this researcher—if we can call him that—really is trying to expose weak security practices, there’s little doubt that this behavior is illegal under US law.
"It is a stunningly clear violation of the Computer Fraud and Abuse Act (CFAA)," Jay Leiderman, a US lawyer who has experience in hacking cases, told me in a phone interview.
It appears the site has changed providers since the Mail investigation; the reporters said they tracked it down to Moldova, but it now seems to be hosted by GoDaddy.com with an IP coming from Moscow in Russia.
Legally, Leiderman said it doesn't matter that no 'real' hacking is taking place and the cameras are accessed via their default passwords. "You put a password on a computer to keep it private, even if that password is just '1,'" he said. "It's entry into a protected computer."
Sometimes there is a case for highlighting security weaknesses in a bold fashion. It can force companies into a corner, and address a problem that they may otherwise ignore. But websites like this, which expose the private lives of people—people who probably won't find out anyway—don't offer any solutions. The true motives of the site’s creators remain unclear.
"I really think it's unlikely that this is going to result in widespread attention to the problem," Green concluded. "I think it's probably, on balance, going to be more damaging than helpful."