Thousands of Private Camera Feeds Exposed Online: Ensure Your Security is Intact

If you have internet-connected cameras in or around your home, it is crucial to review their settings. Recent research has uncovered over 40,000 cameras exposing images of residential and commercial properties online without any password protection or authentication.

The TRACE research team from Bitsight identified this alarming issue, where these cameras are accessible via the internet. They often contain built-in web servers that enable remote access through a browser or app, making them vulnerable to unauthorized viewing by anyone who discovers their IP addresses.

The United States has the highest number of exposed cameras, with approximately 14,000, predominantly located in California and Texas. Japan follows as the nation with the next largest number of exposed cameras, registering around 7,000. Other countries with notable figures include Austria, Czechia, South Korea, Germany, Italy, Russia, and Taiwan.

The foremost concern for individuals utilizing these cameras is privacy. Many cameras are installed in sensitive areas of homes, such as bedrooms, exposing residents to potential spying or extortion if compromising footage is captured. In addition to privacy risks, there are significant security concerns. Cyber attackers could exploit these cameras to gather surveillance data prior to a physical intrusion.

Compromised administrative access is just one potential threat. If attackers gain SSH access, they might exert complete control over the camera’s hardware and software, targeting vulnerabilities that manufacturers have overlooked. This scenario could transform a camera into a launchpad for further network breaches or integrate it into a botnet for orchestrating malicious activities.

Botnets comprising connected devices are increasingly prevalent. A notorious example is the Mirai botnet, which commandeered cameras and other internet-enabled devices to conduct denial-of-service attacks, overwhelming targeted systems with traffic.

The Bitsight report references instances in which vulnerabilities in cameras were exploited to install ransomware.

Exposed camera feeds are not a recent phenomenon. Utilizing scanning tools that reveal unsecured feeds has become commonplace; indeed, Bitsight previously documented similar exposures in 2023. Historically, websites like Insecam demonstrated the feasibility of accessing unsecured camera feeds globally.

The ease of discovering these unsecured feeds stems from the general practice of installing devices without robust cybersecurity configurations. While manufacturers should ideally enforce basic security measures, the reluctance to introduce complexities often results in significant vulnerabilities. Though recent legislation in the United States and United Kingdom aims to regulate connected devices, enforcement remains an ongoing challenge.

While some may recommend only investing in well-known brands, even reputable vendors can falter. Amazon, for instance, faced scrutiny when it settled with the Federal Trade Commission for $5.6 million over allegations that employees accessed customer feeds from Ring cameras without permission. Reports indicated employees improperly viewed the feeds of users, leading to several egregious privacy breaches.

Mismanagement is not limited to large vendors. Other notable incidents include Wyze mistakenly displaying customers’ video feeds to one another and Eufy sending camera images to the cloud contrary to their claims of local storage.

To mitigate risks associated with internet-connected cameras, consider the following recommendations:

• Utilize unique credentials: Establish distinct usernames and passwords for your cameras to prevent unauthorized access. This requires configuring the device through its admin interface to replace default passwords.

• Limit camera placement to non-sensitive areas whenever possible: Reevaluate the necessity of cameras in intimate spaces like bedrooms and bathrooms.

• Conduct research for vulnerabilities: Investigate the brand and model of the camera for any prior security incidents and ascertain how promptly these issues were addressed.

• Test for insecure access: Attempt to access the camera remotely without logging in; if successful, it indicates a vulnerability that others may exploit.

• Regularly apply security patches: Monitor for device updates and implement the latest security patches, setting them to update automatically when feasible.

In conclusion, ensuring the security and privacy of internet-enabled cameras is essential in safeguarding personal spaces. Regularly evaluating and reinforcing protective measures can significantly reduce exposure to potential threats and enhance peace of mind.