February 22, 2017

Webcams vs. Humans

Privacy Threats Tips

Recent news about IP cameras being hacked and private footage sold unlawfully online has bestirred the Internet yet again. Such headlines are now unsurprising; however, one new case has a sensitive twist: The cameras were located in a plastic surgery clinic in Moscow. No doubt you can imagine the footage. This incident was initially covered by Russian BBC. Kaspersky Lab colleagues commented in the article and pointed to lax security practices exercised by the owners. Here we’ll dive a bit deeper into the topic.

Webcams vs. Humans

What threat does surveillance pose?

The most obvious and unpleasant consequence of CCTV video leaks is the potential positive identification of people in the footage. In other words, a criminal can identify you and then use that knowledge against you for blackmail or burglary. That’s not to mention the invasion of privacy.

Of course, video footage is not enough to gather much information on a victim, but ordinary people willingly publish a lot of personal info online. Arguably, the most publicized incident of the kind was the outing of porn actresses. Active imageboard users found the actresses’ social network profiles and contact info with the help of facial recognition services such as FindFace and then bullied them.

The number of CCTV cameras is constantly increasing, as is their image quality. For example, almost every residential building entrance in Moscow is now equipped with IR cameras that provide decent-quality footage, even in the dark. Have you ever wondered how many surveillance cameras see you on your way home from a local grocery store? Have you ever thought about potential threats and means of protection?

Alas, there is no way to avoid surveillance completely. You no longer can fool omnipresent surveillance systems by using masks, glasses, or special makeup; modern systems do not rely on facial recognition alone, also analyzing the way you walk as well as your behavior and even your mood.

However, such sophisticated systems are used only by government agencies and advanced merchants. The former pursue the goal of public safety (or so they say), and the latter seek ways to quickly and effectively sell goods to customers. The rest of the world settles for good ol’ IP cameras or, in some cases, webcams. The bad news is that none of them makes security a priority.

How does footage get leaked? Well, it is very simple: Many cameras are connected so as to help owners keep an eye on the area under surveillance from anywhere in the world. Access is through a Web interface. In other words, each camera has its own little website.

This Web interface may have a full-fledged management console that can change the angle of footage, zoom in, or enable sound. In other cases, the site is just an uninterrupted stream or continuously updated images, like a TV broadcast. But here’s the problem: These “websites” and “broadcasts” can be easily found by specialized search systems such as Shodan and Censys.

Start with the right settings on your own IP camera

Why are so many camera feeds available that they’ve gotten their own search engines? The problem, in a nutshell, is that usually both users and camera makers prioritize ease of use over device security. That’s why surveillance cameras can be easily hacked with brute force.

However, there are ways to minimize the risk. First, one should regularly update firmware and use strong passwords — and regularly change those passwords. Instructions for doing those things are usually available in the user’s guide or on the product website’s support page.

Updates and strong passwords represent the bare minimum in terms of security, but unfortunately, they’re no panacea: Vendors frequently delay firmware updates or vulnerability patches for months, leaving (not very) secret backdoors to cameras’ interfaces. By the way, a big name does not necessarily guarantee healthy security practices. But at least well-known brands respond to governments’ persistent calls for better user security.

Second, one should always disable unused features. This is particularly applicable to the various cloud services with which an increasing number of cameras are equipped by default. Such services may, for example, offer remote access to footage by smartphone app or even storage for CCTV footage. Those perks are convenient indeed, but they aren’t exactly transparent to the end user, and thus their real security level is not easy to assess.

Additional measures require some measure of expertise. For example, you might enable HTTPS access to the camera. Of course, in this case you are likely to use a self-issued certificate, which would provoke repeated browser alerts, but at least it is something.

Another thing you might do is tweak your home router to isolate your internal network from the outside, enabling exclusive access to only some select device functions. One more option is an intermediary device in the form of NAS storage. Even a basic IP camera comes with video surveillance software. Of course, in this case you should enable secure access as described above.

Every device has a webcam now

The above was all about IP cameras. As for webcams, you already know what to do. If it’s a standalone camera, plug it into a USB port only when you need it. If it’s an integrated laptop webcam, you can always put tape over the lens. Hate the look? There are special plastic cover kits.

As for smartphones, the solution is even simpler: a tough, nontransparent case covering the rear camera, tape over the front-facing lens. And don’t forget to use antivirus products on all devices.

What about other people’s cameras?

One last thing. You cannot do anything about public surveillance cameras. Learn their locations by all means, and deliberately avoid them if you can. Doing so may look weird and might attract extra attention, though. As far as semi-public surveillance (to coin a phrase), there are a few things you can do. We are talking here about cameras deployed in entrance hallways and staircases in residential buildings.

The relevant regulations vary from country to country. In countries like Russia, for example, an entryway is considered communal property, so the installation of surveillance needs to be approved by residents and facility management. If a camera does not allow its owner to peer into private property, the installation is usually easily approved.

That said, before you fight the installation of an entryway camera, consider that such a camera might be helpful if you need to identify criminals in case of vandalism or burglary. Criminals might even be scared off by a camera — even a fake one. But a hidden camera or secret surveillance is definitely out of bounds. Stay away from that!

If footage of you is leaked online without your consent, you can pursue legal avenues to have it removed. However, there are nuances to consider. First, think about the Streisand effect. Second, there could be legal peculiarities about pretty much everything. For example a video from a public place containing other people beside you might not be a subject to a lawsuit.