I received an odd email from a reader, who didn’t know how to handle a security issue they’d found. In using Google to research an IP camera—a camera that connects to the Internet for remote storage or streaming access—he happened upon another family’s camera rather than a website about the model. The family had multiple cameras installed in their home, all of which were streaming openly on an indexed webpage.
He was concerned for this family’s privacy, but didn’t know how to contact them, and so he left the page. He bookmarked it and checked a couple of times to see if it was a temporary problem. Finally, he emailed me, wondering if as a reporter I would seem less creepy finding and emailing the owners. I did, and the homeowner wasn’t freaked out: He had turned off a password during a problem, and forgot to ever re-enable it. He was thankful, and I passed that back to my reader, who was relieved of his ethical burden.
But this whole incident highlighted one of the concerns of IP cameras specifically and the Internet of Things (IoT) in general: when the world can poke at your devices, a configuration failure or not knowing how to configure something eats at your privacy, and can contribute to identity theft, harassment, or other crimes.
Apple (with HomeKit), Nest, and others want lock-in from their systems. But what they’re trading for a typically closed ecosystem of devices that only support one proprietary standard is a promise of privacy, integrity, and security. Can they live up to it? One hopes better than what’s happening right now with a lot of standalone hardware.
The changing nature of defaults
The number of IP cameras available at Amazon is truly absurd.
You won’t find this privacy problem with Nest’s cameras or similar high-end brands that cost $150 to $200 per camera, many of which offer limited to extensive cloud-based storage. But all of them secure remote access to your network in two ways: You almost always need an app made by the company that uses a secure connection to your gear and requires an account and password. This prevents drive-by snooping.
However, there are thousands of inexpensive IP cameras, some with major brand names and others made by tiny unknown firms, that put access ahead of security and privacy. Out of the box, you’re not asked to add a password or a setup wizard doesn’t require it. Further, many of these devices don’t do the extra work required to secure video streaming.
This leaves access vulnerable in two directions: Anyone who can find the camera’s IP address can view images and, with some models, pan, scan, and zoom, as well as reconfigure or break devices. Most models that lack a security requirement also use the same administrative name and password for every device shipped—which can be as simple as “admin” and “admin.”
The other direction is that anyone who can get on the same Wi-Fi network can intercept video as its streamed remotely, because the data isn’t encrypted. Fortunately, ISPs and Wi-Fi router makers have been enormously more responsible about shipping hardware with unique account information or a setup process that heavily encourages or requires a password to be set. And most ISPs mandate or ship Wi-Fi routers with a network password enabled, too.
A random, impersonal example of an exposed IP camera: a sump pump somewhere.
There’s a site with links to thousands of unprotected cameras around the world, with models by Axis, Panasonic, Sony, Foscam, Linksys, and others. I don’t want to link directly to it, because I would be publicizing and abetting people peeping into other folks’ lives at home, work, and school. Some of these are as exciting as a sump pump in what must be a hard-to-access basement; others are clearly people’s living rooms and bedrooms.
IP addresses with most ISPs aren’t fixed over time, though some persist for really long periods. However, some ISPs map long subdomains that can identify a location to a surprisingly close degree. That combined with Google Street view or a unique Wi-Fi network name could allow a seemingly random camera to be connected with someone’s exact physical location.
If you or someone you know has a IP camera set up, this might be a good time to check its configuration. Some older cameras that lack secure streaming and access might have firmware upgrades, but most inexpensive gear has no upgrade path within a relatively short time after manufacturer. The firm just releases a new model and obsoletes the old one.
Everything is watching
While awareness has grown about IoT devices, it’s unclear whether the makers of cheap IP cameras have changed their practices much. There’s no global regulatory framework for testing. Some countries have limits on what can be recorded pointing out from a house or business or in a retail space, but there are typically no rules that applying to selling equipment that’s meant to record video, wherever a camera is used.
Most enforcement related to video privacy has to do with the individual misuse of cameras. As far as I know, there’s never been a widespread action on behalf of consumers to require more security measures, and it would be effectively impossible to enforce unless the FTC or another agency had an outright ban that retailers observed and blocked import at customs, as well.
This is why IoT should be exciting. Associations of manufacturers with centralized standards and testing to meet a specification and allow a brand name on a device can have a salutary effect. Companies making hardware want the trademarked name, the marketing benefit, and an easier story to “sell” to consumers about why they should buy their stuff. But that only covers a subset of all hardware and the consortia have to be serious about criticism and making updates available for easy installation—without bricking their devices.
The FTC released a report and its head keynoted the CES trade show in January 2015 directly on this issue, warning that the electronics industry wasn’t necessarily on the right path. Shipping stuff under market pressure or at very low costs leads to corners being cut.
With billions of devices shipping in the next few years that are always available over the Internet, there’s a lot of potential for things to go wrong even when you do everything right. As you make decisions of what to buy for your house, keep in mind not just what, but who might be watching you.
Author: Glenn Fleishman, Senior Contributor
Glenn Fleishman’s most recent books include Take Control of iOS and iPadOS Privacy and Security, Take Control of Calendar and Reminders, and Take Control of Securing Your Mac. In his spare time, he writes about printing and type history. He’s a senior contributor to Macworld, where he writes Mac 911.