When I opened my eyes, I found myself watching the Tonight Show with Jay Leno from the comfort of an unfamiliar couch. It was one of those oversized L-shaped couches that you really want but can’t have because it won’t fit in your 700 square-foot apartment. As I was sitting there, enjoying the luxury of a couch big enough to consume my kitchen, my gut told me that something wasn’t right. My suspicions were confirmed when I realized that Jay Leno wasn’t speaking English. I looked over at Toto and said, “I love this couch but I’ve a feeling we’re not in California anymore.” With a look of uncertainty on his face, Toto nodded in agreement and replied, “where the hell are we then?” After doing a little research on Google, I discovered that I was actually in Rome. Yes, as in the capital of Italy. So, how’d I make a 6,000 mile journey without leaving my Sacramento office? I used webcams.
In addition to watching the Tonight Show, I attended preschool, babysat an unruly group of dogs, toured the slums of Brazil, patrolled a used car lot, monitored a weather station, ticketed a red-light violator, and sold a smartphone. I visited private residences and businesses in China, Russia, Japan, Thailand, Brazil, and more than a dozen other countries across the globe. Cool, right? Well, that depends on how you look at it. If you’re anything like me, you’ve already pondered the possibility that somebody could be watching you.
Like any other stereotypical sightseeing tourist, I brought my camera along. Let’s take a look at some screenshots.
The top right image was taken from a surveillance camera at a Verizon Wireless store in the Chicago area. What you don’t see in the image is that I had complete control over the surveillance system, including the digital video recorder (DVR). This means that I had the ability to enable and disable recording. Think about the implications that this has. If someone with malicious intent accessed that same system, he or she could easily exploit it to facilitate a robbery. Now, think about this scenario on a larger scale. Do you see where I’m going with this yet?
In addition, the majority of these cameras feature a pan, tilt, and zoom function. What does this mean? Well, if you’re willing to get creative, it means you could easily focus the camera’s attention on a customer’s credit card information. This can be achieved not only by directly zooming in on the credit card but by looking for reflections. If you’re not lucky enough to find a properly positioned mirror, there are other less obvious sources such as sunglasses and windows. Kind of scary, right? I’m guessing the next time you log into Facebook while wearing sunglasses, you’ll think twice.
Now that we’ve considered some potential security risks, lets focus on how we can prevent unwanted spectators from accessing our webcams. Here are some over-the-counter solutions:
- Protect your webcam with credentials
- Do not rely on the factory’s default username and password
- Use a strong 12+ character password containing a mixture of uppercase letters, lowercase letters, and numbers. If possible, include special characters such as @#$%&!
- Encrypt your webcam’s feed
- Configure your camera to use a dynamic IP address instead of a static IP address
- Set up a virtual private network (VPN) to access your camera
- Utilize your system’s built-in security features
About 99% of the time, I was able to gather sensitive user data from the camera’s web interface. For example, I was able to obtain full names, street addresses, phone numbers, company information, email addresses, and other data. This can be avoided by simply neglecting to associate personal information with your camera. Most modern cameras have an automated email notification service that alerts administrators when the camera detects motion. This means that, in order to utilize the service, you are required to provide a valid email address. If you insist on using this feature, I recommend establishing a completely separate email account that will only serve this feature. When you establish your separate email account however, be sure to use a fictitious name and don’t associate any additional email addresses (typically used for account recovery).
Although detaching your personal information is a step in the right direction, it may not be enough. Let’s use the Verizon Wireless store as an example. The Verizon Wireless camera didn’t have any information associated with it but I was still able to locate it. How? I used clues from the video feed. For example, a suite number on the front door, a pair of red chairs, and a corner window. First, I focused my attention on the suite number. With the help of Google, I found 23 matching stores. From here, I shifted my attention to the physical structure of the store. By using Google Earth’s street view, I found 4 stores that were located in corner structures. With there only being 4 possibilities now, I was left with two options. I could phone each store while watching the video feed, or I could continue my online search. I decided to continue my online search, which eventually led me to images of the Verizon store that I was looking for. In the end, it was the position of the two red chairs that gave away the store’s location.
Webcams are only the tip of the iceberg. My search extended into large industrial control systems, stoplight systems, enterprise resource planning (ERP) systems, and other highly volatile systems. Looking back on my webcam adventures, I realize just how naive we are. We believe we’re safe when, in reality, we’re only blanketed by a false sense of security. Considering that we live in a technologically advanced world, I can’t help but wonder where this false sense of security comes from. Maybe the blanket is knitted by a lack of education, or perhaps it’s our government’s fault. To be honest, I’m really not sure. I’ll let you decide.