Hack alert: Do you know who is watching your CCTV?

Perfectly legal projects collate live CCTV footage from around the world… what does this reveal about IoT security?

Three young people sit on stools underneath a big red sign which reads “Media Zone”. The token man has his arms folded and looks bored. The two girls are engaged in an animated conversation with someone opposite. On the shelf behind their heads rests a big cardboard cut-out of a fellow with his arms out – these span the entire shelf – and it looks like he’s hugging them.

I’ve no idea who these people are, or what they’re waiting for. All I know is that right now – well, at the time of writing – they’re located just off the Strand in central London, the security camera filming them is supplied by Axis and someone has bizarrely tagged the stream “poo in the loo”.  

It was quite by chance that I stumbled across “Insecam project” a strange directory of global surveillance camera footage. This is “the world [sic] biggest directory of online surveillance security cameras,” proclaims the welcome text. “Now you can search live web cams around the world. You can find here Axis, Panasonic, Linksys, Sony, TPLink, Foscam and a lot of other network video cams available online without a password.”


Nearly 27,000 cameras from 126 countries and 38 locations

In fact, a count of the full list reveals live footage from nearly 27,000 cameras from 126 countries and 38 locations. These include coffee houses, airlines, swimming pools, farms, roads, kitchens and much more. There are chairs-on-tables at 2am in a Tokyo café, a time-delay cyclist on a beautiful dawn beach, while one lens pans in and out of blurred-boat-windows on a deserted Florida dock.

As this is all streamed live from locations around the world – via various types of equipment with differing levels of quality –the panorama is quite spectacular. Each has a Google map and coordinates underneath the video. It is a decidedly creepy world to enter.

Yet the blurb is keen to stress that a number of actions were undertaken to ensure the protection of individuals’ privacy. This means that only filtered cameras are available, any unethical or private camera will be removed on receipt of an email and camera feeds will only be added to the directory upon the administrator’s approval.  

I drop the administrator a note to find out more about the project. An email pops back within an hour but the individual will not provide their name. He explains how it all began:

“A few years ago there was popular way to search cameras in search systems. I was working with CCTV and it was very interesting for me. [So] I started to explore [for a] new way to search cameras. And I found it. I was surprised when I found tons of cameras and my idea was to tell the world about it.”

The administrator emphasises this is not hacking because these are publically accessible devices. “It is not hard to collect cameras - the hardest job is to find and delete unethical cameras.”


Global CCTV footage is publically available and certainly not hacked

James Wickes, co-founder and CEO of Cloudview  – a company which helps securely connect CCTV to the cloud – agrees this information is perfectly legal and on no level hacked. “I think that connecting a CCTV camera or DVR to the internet without taking any security measures is the equivalent of planting a field of strawberries without fences or gates and then expecting no one to take any,” he says.

“Whilst I cannot see the commercial or public interest in creating a site [like this] apart from hoping to gain notoriety,” he adds. “It is not surprising that such sites are springing up."

The footage is eerie, and weirdly fascinating, but not terribly interesting. “Most people use [the] country listing to watch [their] own country,” says the administrator. “Also it's the best way to select cameras by day time.

“Insecam project provides a view into the real life in different countries without any subjective distortion through the lens of the media,” the administrator adds. “See the weather, see the city, streets, parking lots and other interesting places in real time. This is a really unique and interesting opportunity to see the world through different eyes.”

Perhaps not surprisingly, the most popular location – with 7416 cameras – is the US. This is followed by Japan (5255), then Italy (1557) and then France (1389). This is not necessarily what you’d expect as France and Germany (seventh on the list with 682 cameras) have traditionally had very negative view of surveillance due to their recent history.

Contrast this to the UK, especially London – which was heavily targeted by the IRA through the 1970s and 80s – which has had a far more positive view of CCTV surveillance. Yet this only has 605 cameras listed.


The vast CCTV security hack threat which will only worsen with IoT

This leaves me wondering how many people – and organisations – are aware of the password issues associated with CCTV cameras. The administrator believes this is a huge problem:

“The results of my exploration are terrifying: millions of cameras are available to view using default factory password. It’s not difficult to try admin:admin to ‘hack’ such cameras. It does not even require any programming skills. So there is a lot of scanning software to search such cameras and teenagers use it for fun.”

Wickes of Cloudview shares the same view: “The insecurity of CCTV equipment is an extremely serious problem. Yes, some of the hacking of CCTV equipment is carried out by bored teenagers, but it doesn’t take a rocket scientist to work out that the planning of a serious crime would be greatly assisted by access to the CCTV equipment covering the target.

“Consider what sort of person will be spending time looking around for insecure CCTV cameras,” he adds “and then consider that some of these people are likely to be unsavoury as well as very nosey. Would you leave your front door open for them? No. So why would you let them in through your CCTV by leaving it open on the internet?"

The site administrator suggests: “In order to avoid a situation when the camera which is not installed for public access becomes publicly available, the owner of each device should pay great attention to security settings and check the security password. It is desirable to select [a] difficult password. This problem can be solved only by mass media information.”

This point is seconded by Wickes: “The security of CCTV systems could be greatly improved if the equipment manufacturers highlighted more effectively the need to change passwords etc. and offered further advice on securing their products. I do feel that some form of Kitemark or grading for cyber security would be a great help to the consumer. Such a system would also encourage suppliers to differentiate themselves through offering better security.”

In fact, Wickes goes one further and suggests this is one of the particular vulnerabilities in the Internet of Things. “One area which big business has largely ignored and which doesn’t get much media coverage is the potential for attacks via CCTV systems,” he says.

In the end, this raises a question, which everyone should know the answer to: Do you know who is watching your CCTV?