In a couple clicks, you can check in on a crib in China; a couple more, a loading dock in Denmark. The site is called Insecam, and it provides live streams of unsecured IP surveillance cameras from around the world.
Whether due to convenience or carelessness or both, a number of IP (internet-streaming) camera users settle for the default username and password when installing their cameras. It may seem like an innocuous time-saver or a simple oversight, but in using “admin” as the username and “admin” or “12345” as the password for a webcam, nearly 73,000 users have exposed themselves to Insecam’s exploit.
The Russia-based site’s administrators have reportedly created an automated system for targeting this common vulnerability, with thousands of cameras being added every week.
“Most people still do not know about the problem,” an Insecam administrator wrote in an email to Motherboard.
Of the 100+ countries represented on the site, unsurprisingly the United States takes the top spot with nearly 10,000 unsecured cameras. Second place is South Korea at more than 6,500, and China sits in third with nearly 5,000. Other similar sites have existed in the past, but none have dealt in the sheer volume of Insecam.
There is a moral question to sharing this website; exposing even more of an audience to private surveillance camera feeds is never a joyous endeavor. One blogger, “Ms. Smith” from Network World, attempted to reconcile this precarious position by being a good samaritan and tracking down some of the exploited camera owners and informing them of their predicament. Unfortunately, after a day of accusations and dead ends, Ms. Smith decided that the best course of action was awareness.
The bottom line is you should never be using a default password for anything, especially your surveillance camera system. If you are, change your settings immediately!
Insecam claims that they haven’t received any takedown requests. Their FAQ section provides a contact link for those that wish to keep their cameras public but want them taken off the site. Presumably, because the site simply aggregates the feeds based on an algorithm that targets password settings, switching off of the default will automatically remove feeds from the site.
“The only solution to make your camera private is to change default password!” the site advises.
There are a number of resources available online, mainly through a camera’s manufacturer, that will give a user step-by-step instructions on how to change these settings.
“If you don’t recall your username/password combo, then download the manual of your camera model, reset the device like you would a wireless router, and aim for a strong password to truly provide security this time,” Ms. Smith writes.