Look Who’s Watching … Webcams, Privacy and Common Sense

29 02 2012

by Mike Timko

While this is certainly not a new topic I believe it is an area that should garner more press and concern. As more and more homes add Internet based cameras to communicate with family members or to monitor what is going on when they are not there, the concern over privacy should be considered paramount – yet it appears to be much more of an afterthought. While there certainly is a category of users who wish to broadcast their webcams to any user or group, I am only focusing on the intentional hacking of a personal webcam of which the owner has no intention of public access.

Webcam Proliferation

More than 79% of laptops have webcams and that number continues to rise.[1]   Laptops, desktop computers and smartphones are not the only places webcams are being used. They are also not just being used for chatting or keeping in touch with family members. Increasingly people are adding home monitoring systems that can either be tethered to a webcam or operate independently via a Wi-Fi connection, thus making them easy to install them almost anywhere. Home video monitoring is not new, but with Internet capability, the ease of access to these cameras has greatly increased. Early on, this was a place that the home automation enthusiast or hobbyist dabbled in by hobbling together various components to create a home monitoring system with some sort of Internet connection. Now you simply have to do a search for home video monitoring and you can find inexpensive systems available at your local big box or office supply store. People that are concerned about the security of their home or need to monitor a location can install these systems in a very short time, which is part of the issue. The ease of setup makes securing webcams a secondary thought and many people simply accept the default configuration.  [2] Most people that buy these types of systems do not have the technical background to do more than connect the system, which is the appeal. There are an increasing number of smartphone apps that make access to these systems even easier. One that immediately comes to mind is iCam from SKJM.com. The app and related software allows you to legitimately control the webcams or Wi-Fi enabled cameras in your home or business with great ease. In fact there have been news stories of people who have stopped burglaries in action via quick utilization of this app. [3] I personally use this product and have liked the fact that I can monitor my home when not there.  I am however, concerned that others could try and do the same. Since this software requires the cameras to be on – the ubiquitous “green light”, is always lit and thus the awareness of the active status of the cameras is diminished.

Gaining Access

Do a simple search for “hacking a webcam” on the Internet and there are multiple results from simple techniques on how to break in to a webcam with actual tutorials, down to software that will assist the would-be hacker or voyeur.   While there is certainly no way to regulate the distribution of this information, it is clear that consumers need to be ever vigilant in securing against prying eyes.  There are some basic steps any user of webcams can take to be sure they are doing the most to secure their devices. It can be as simple as installing anti-virus software or enabling a firewall. Wi-Fi connections should always be secured with at least WPA to add an additional level of protection in accessing the camera. [4] A recent article in Wired magazine detailed how a hacker exploited a known vulnerability in a particular brand of webcam to the extent of listing all the detailed steps necessary and the related code to make it even easier. He was able to access and control cameras even if they were password secured using their net address and some clever hacking. [5] While the company will be issuing a firmware update to resolve this issue the very idea that this oversight could have occurred is very disturbing. This certainly raises the question of what other brands or devices can be remotely accessed even with basic security in place.

To the Forefront

An incident that has garnered much media attention was the spying of students in the suburban Philadelphia school district of Lower Merion. The school district asserts that the cameras are only activated on the school-owned laptops if there were reported stolen, however the investigation uncovered thousands of pictures from computers that were not reported missing by the student. [6] A class-action lawsuit was filed against the district alleging that the school invaded the students’ privacy. The fact that the school administrators could remotely take pictures was acknowledged by the district and may have actually tried to hide the fact that they were engaged in this activity. [7]  An issue with this case is the legal recourse the families have. According to Title III of the Omnibus Crime Control and Safe Streets Act of 1967 known as the “ Wiretap Act”, it is forbidden to record phone or personal conversations using a hidden microphone, but there is no provision for webcam regulation. An appellate court case in 1984 upheld that ”video surveillance does not ‘intercept’ any communication, and therefore held that Title III neither authorized nor prohibited the surveillance.” [7] In the time that has elapsed since the 1984 decision and subsequent recommendations, there has been no action to amend Title III. We need to have legislation that can protect us and take in to consideration existing technologies but be flexible enough to look forward as well.

Boardroom Break-in

In a recent event, HD Moore of Rapid7, a computer security firm was able to write a computer program that allowed him to search the Internet and obtain the addresses of thousands of videoconferencing sites from major corporations to private legal discussions. The primary reason that he was able to gain access was the end users lack of concern involved with securing these systems. Most companies contacted simply wanted the systems to work and be easy to access by external entities with which they want to conference. What they did not consider was the presence of people trying to access these systems who have no legitimate reason. Mr. Moore was able at times to zoom and pan the cameras as well as listen to the conversations. [8]

One Final Thought

The lesson learned is a simple one – treat any web-connected camera as a portal to the outside world and protect that feature/vulnerability accordingly. The advent of even smaller cameras and wireless devices will only make securing them a higher priority. Considering the time it takes to amend laws, it is important that we look out for our best interest.

_______________

[1] “Webcam Penetration Rates & Adoption”, http://weareorganizedchaos.com/index.php/2011/07/05/webcam-penetration-rates-adoption/

[2] “How to Find Hidden Webcams on the Internet – For Free”, http://donatello.hubpages.com/hub/How-to-Find-Hidden-Webcams-on-the-Internet—For-Free

[3] “SKJM in the News”, http://skjm.com/news.php

[4] “Webcam Hacking: How to Protect Yourself”, http://voices.yahoo.com/webcam-hacking-protect-yourself-9045547.html?cat=15[5] “ Flaw in Home Security Cameras Exposes Live Feeds to Hackers” , http://www.wired.com/threatlevel/2012/02/home-cameras-exposed/

[6] “School District Allegedly Snapped Thousands of Student Webcam Spy Pics”, http://www.wired.com/threatlevel/2010/04/webcamscanda/

[7] “Video Laptop Surveillance: Does Title III need to be updated?”, http://www.judiciary.senate.gov/pdf/3-29-10%20Bankston%20Testimony.pdf

[8] “Cameras May Open Up the Board Room to Hackers”, http://www.nytimes.com/2012/01/23/technology/flaws-in-videoconferencing-systems-put-boardrooms-at-risk.html?_r=1&scp=4&sq=cameras&st=cse

Advertisements