If You Didn’t Change The Default Password On Your Security Camera, Someone’s Probably Watching It Stream

Remote access has been a boon to many industries. Home security cameras, for example: not only can you keep an eye on your property in case anything bad happens, but you can do it in real-time, instead of reviewing footage after the fact. But cameras protecting the security of your home may in fact need a serious security helper of your own. And running tens of thousands of searchable livestreams from unwitting camera owners who didn’t change default the access passwords on their devices is certainly one (unethical, intrusive) way to make the point.

One site does exactly that, as Vice reported recently. The site runs live streams of feeds from tens of thousands of IP cameras around the world.

Users buy the devices — think nanny cams, baby monitors, and home security — to keep an eye on their families, valuables, and property. But with poor security practices, anyone and everyone else can keep an eye on your goods, too.

Cameras designed to be accessed remotely, as these are, have passwords. And they ship with default passwords, that users are supposed to change during the set-up processes. Only, many users don’t. (Even when they do, admittedly, people are often objectively terrible at passwords.)

That makes it easy for someone with an idea for a website to come along and write a script that looks for cameras on the internet, then tries the default password on them and adds the feed to a public collection if that password works.

Despite running ads and generating revenue, security is the real point the site is making, its owner told Vice. “Most people still do not know about the problem,” they wrote in an e-mail, and so nobody has yet asked to have their camera removed from the collection. “Only [the website] can prove the scale of the problem,” the administrator added. “This problem was in darkness for many years.”

Vice then goes on to look at how ethical hackers — the so-called “white hat” set — expose software vulnerabilities and then share their information with the companies that made the vulnerable products. It’s a common pastime for network security experts and for security companies. (When done by the latter, it’s not entirely altruistic: if you can point out a security hole, you can point out the need for someone to buy your services to fix it.)

The person or group behind this particular website, Vice concludes, isn’t exactly one of the good guys; they’re doing something both illegal and unethical. But this particular camera-sharing website, though troubling, isn’t really the root problem. It’s just one symptom of a massive, much larger, much deeper issue.

As everything gets “smart,” mobile, remote-accessible, and connected, security becomes an ever-deeper challenge. Sophisticated hackers will probably always be able break their way into certain lucrative systems, just as criminals will always try to rob physical banks. But millions of cracks, hacks, and break-ins aren’t even the purview of sophisticated hacking operations: they’re just the result of plain bad security that end-users — we home consumers — didn’t even know needed fixing. It’s not about how to protect your bank vault from Bonnie and Clyde; it’s about knowing the cash should go in a vault in the first place, and not simply be left in piles on the lawn.

Commandeered cameras are incredibly intrusive, but as far as poor default security goes, they’re only the tip of the iceberg.

Every wifi router ships with a default password, and it’s super easy to look those up by make and model. Securing your router, on the other hand, takes more work.

Your remotely-accessible multifunction printer might use a weak default password or in fact not have a password at all, meaning anyone with know-how could get in. Like a wandering security expert who hacks it to run video games… or someone less ethical, installing something worse as a gateway to the whole network.

A common default password can get you into a cash-filled ATM, where you could presumably then commit actual bank robbery.

At least, though, we all have a vague association with “network” and “security” when it comes to our routers, even if we’re bad at implementing it, and we know that banks need strong network security to protect their customers and their transactions. But security applies to everything that uses an internet connection.

From heating to cooling, homes are getting ever more connected. When your whole house goes smart, Bradbury-style, that means your whole house is vulnerable. Last year, one Forbes contributor explained how she was able to access everything from televisions to light switches to hot tubs in complete strangers’ homes.

Home appliances — from TVs to refrigerators — have already been unwitting participants in spam-sending botnets. Spam e-mail is annoying but comparatively harmless. Future intrusions, though, might not be.

Any company making connected devices that can receive, transmit, or share data needs to be stepping up their security game. Anything and everything should clearly require passwords and should require on first use that owners change those passwords to something reasonably secure, for a start.

But until then, the burden remains on individuals. Any time you buy or install a device that in any way connects to the internet? Look up how to keep it secure. And use a good password when you do.

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.