Terrifying website streams camera footage from your webcam
Joseph Cox did a fantastic article about a website that streams camera footage from users who never changed passwords from the default passwords on their web cameras. I was quoted in several places, but before we get there, let’s examine this article a bit.
There is a reason that I have seen this story go viral – it has been translated into myriad languages already and Mr. Cox’s reaseacrh has been the subject of many, many unoriginal stories.
Here’s how Mr. Cox began the story – see if it gives you a chill down your spine:
* * *
Last week, I sat at my computer and watched a young man from Hong Kong relaxing on his laptop; an Israeli woman tidying the changing room in a clothes store; and an elderly woman in the UK watching TV.
All of these people were completely unaware that I was spying on them, thousands of miles away, through devices that were inadvertently broadcasting their private lives on the internet.
* * *
Even if this researcher—if we can call him that—really is trying to expose weak security practices, there’s little doubt that this behavior is illegal under US law.
It appears the site has changed providers since the Mail investigation; the reporters said they tracked it down to Moldova, but it now seems to be hosted by GoDaddy.com with an IP coming from Moscow in Russia.
Legally, Leiderman said it doesn’t matter that no ‘real’ hacking is taking place and the cameras are accessed via their default passwords.
“You put a password on a computer to keep it private, even if that password is just ‘1,’” he said. “It’s entry into a protected computer.”
Here is the update – fascinating
Update: 3 November 2014: After the publication of this article, the alleged administrator of the site responded to emails from Motherboard and repeated the claim that the site’s purpose is to highlight poor user security. “Only [the website] can prove the scale of the problem,” he or she wrote. “This problem was in darkness for many years.”
The administrator also wrote that nobody has yet asked to have their camera removed from the site. “Most people still do not know about the problem,” one email said. The process for adding cameras to the site is allegedly “automated,” with thousands collected each week.
It is always nice to be quoted in an article with academics, and Mr. Green is a top in his field: “Matthew Green, assistant research professor at the Department of Computer Science at John Hopkins University, told me in a phone interview that this sort of action is sometimes needed. “I will grant that sometimes there are vulnerabilities that are intractable: you tell people about them, and everybody knows about them, but nobody tries to fix them,” he said. “In theory, in those cases, you need to do something that takes it to the next level.””