How a Russian Web site peers into your home, and your baby’s room, by hacking webcams
In a dark corner of the Internet, a profound violation of privacy is quietly unfolding unbeknownst to thousands of victims. A Russian-based Web site allows its users to silently flip through hundreds of lives, observe for as long they’d like, and depart for the next living room, the next gym, the next child’s bedroom. There, through the grainy lens of a hacked webcam, you’ll find a New Jersey infant sleeping in a crib, the image of an Iowa high school hallway or an Illinois convenience store clerk.
In all, the advertisement-festooned Web site takes you to nearly 4,600 locations in nearly every state in the nation. And then beyond. More than 2,000 French webcams have also been hacked. As have 1,576 Dutch cams, 870 Japanese and 584 British. Even footage from Gambia, Mozambique and Bahrain make an appearance on the site, the URL of which The Washington Post is not publishing for reasons of privacy.
The captured images of thousands serve as another stark reminder that private lives are not safe on the Internet. As this Web site proves, the hackers do not even need to be that savvy. They only need to walk through the digital equivalent of an open door leading into the homes of Americans who don’t create a password to protect their webcams or Internet-connected baby monitors. When that happens, a camera may use a default password that everybody and anybody knows.
That lapse, which concerns officials and watchdogs, is exactly what the site’s managers claim they want to draw attention to. In a Vice interview late last month, the unnamed operators said their intentions are benign — though they do clearly derive some profits from the Web site, festooned with pop-up advertisements.
“Only [the Web site] can prove the scale of the problem,” the hacker toldVice, adding no one has requested to have their cameras removed. “The problem was in darkness for many years. Most people still do not know.” The operator said he or she devised a program that’s “automated” and collects thousands more every week.
But some webcam users appear to be creating and switching their passwords. Vice’s three-week old report found the site was then surveilling nearly 4,000 more American locations than it does today. And if people are changing their passwords, it’s exactly what some officials want. “The danger of using weak passwords has been exposed again this month after a new website was launched that allows people to watch live footage from some of the insecure cameras in the world,” the British Information Commissioner’s Office said in a statement. “The website, which is based in Russia, accesses the information by using the default login credentials, which are freely available online, for thousands of cameras.”
The site targets some of the world’s most widely-used brands of webcams: Foscam, Hikivision, Panasonic, IPCamera and Linksys. Its operators add: The only way to remove your home from the Web site is to change your password, otherwise users can find it by simply browsing the cameras and “selecting the country or camera type.”
The targeted camera companies are not thrilled by the news. “An analogy best describing this would be just because someone leaves their window open it does not give permission for an unauthorized individual to set up a camera outside their window and broadcast the feed worldwide,” Foscam chief executive Chase Rhymes said in a statement reported by the BBC.
Perhaps most alarming, the privacy of infants is being violated. Paging through the Web site early Friday, numerous babies could be observed, sleeping in their cribs. Is it necessary to intrude upon sleeping infants to raise awareness about Internet security?
One professor of computer science at Johns Hopkins University concededin an interview with Vice that provocative action can sometimes ignite change — but this? “What is different about this is that there are actual victims,” Matthew Green told Vice. “They are individuals…. There are a lot of people who pull stunts, and try to make a name for themselves.”
And, judging from the advertisements, a few bucks, too.
Terrence McCoy is a foreign affairs writer at the Washington Post. He served in the U.S. Peace Corps in Cambodia and studied international politics at Columbia University. Follow him on Twitter here.