14 Dec Russian website streaming hundreds of cameras in Canada, experts warn your connected devices could be at risk
A reminder to always change the factory default password on your online web cam
The Toronto-area dental office didn’t know it but the security camera in its waiting room was being streamed live on the Internet.
Anyone could log on to the website and watch as patients came and went. Front-desk staff answering phones and working on their computers entering patient information.
It could be a serious breach of patient privacy. But it’s more than that – unsecured cameras also leave the entire network open for virtual intruders.
The video was being broadcast on Insecam.com, a website based in Russia. The site picked it up and streamed it along with hundreds of other security cameras that still have their factory-default passwords or are left with minimal security.
In homes, workplaces and other private spaces across the country there is a security risk hanging over the heads of many Canadians – wireless surveillance cameras left unsecured.
Websites like Shodan and NestCam Directory, both hosted in the U.S. and Insecam, currently livestream thousands of cameras from around the world, with up to 400 being livestreamed from Canada.
Some of the cameras across the country show people gathering for prayers at a church in northern Ontario, homes where street addresses are visible, or the inside of businesses in Ontario, B.C. and Nova Scotia.
When the GTA clinic was alerted that their camera was being broadcast for thousands to see, they secured their cameras and the feed was taken down.
The manager of the dental office said they installed new security cameras in October after break-ins at the clinic, but forgot to change the default password.
“When you sent them the picture, actually you scared [the office staff], honestly,” the manager said, adding the office only has a camera in the front where the public has access and does not have cameras in private areas like offices or rooms where patients are being treated.
Security and privacy experts say the increased use of wireless security cameras is part of the rising trend of internet-connected home devices, known as the Internet of Things, or IoT. It can include everything from baby monitors to so-called smart TVs and even home appliances like fridges.
But the explosion of IoT, including wireless surveillance, is providing new security threats and vulnerabilities that cyber criminals can exploit, says Daniel Tobok a cyber-intelligence expert based in Toronto.
Forgetting to change the default password on a camera or selecting a simple password create security risks as the camera can be a potential entry point to computer servers, Tobok said.
“The danger is not that they can see inside, and who is drinking an extra cup of coffee,” he said. “It actually comes down to the fact that they can use that to get into [digital] infrastructure.”
Tobok, who is chief executive officer of Cytelligence Inc., said his company is often hired to explore flaws in the digital security networks of large corporations.
“When somebody can penetrate that particular server, they can jump into other infrastructure parts. Again, that can be the router, and they can open up other ports for them to come in with a bigger attack,” he said. “They can reconfigure things like the firewall. They can jump on the Wi-Fi. There’s a lot of things that they can do.”
The number of consumer-owned connected devices in Canada is growing rapidly. Research from IDC Canada, a global market intelligence firm, found IoT devices in Canadian homes is expected to grow 60 per cent between now and 2021.
“Having real time video in your house is something that not everyone can afford or even think about doing earlier,” he said. “From the consumer’s perspective you really don’t hear a lot until something major happens like a major brand has a [privacy breach].”
The IDC report also indicated homes installing web connected security and monitoring devices will grow by 47 per cent between 2017 to 2021.
Many of the wireless cameras in Canada currently being livestreamed online are being done so without the owner’s knowledge.
In addition to the Ontario dental clinic, an unsecured camera at an Ontario daycare, as Global News reported in May, shows roughly a dozen small children being supervised by three adults in a classroom.
Another shows a home in Ontario with a clearly visible address. It’s being broadcast online, providing approximate geographical locations for the cameras.
Former Ontario Privacy commissioner Ann Cavoukian said broadcasting personal information, like a home address or a person’s identity, pose a security and privacy risk and the cameras could be accessed by nefarious third parties.
Cavoukian said facilities like a daycare or medical clinics have a responsibility to protect people’s privacy.
“You would be surprised how sensitive some information can be,” said Cavoukian, who now heads the Privacy by Design Centre of Excellence at Ryerson University. “[Patients] may not want to be known that they are there. It’s very sensitive information what they are doing at a particular kind of medical clinic.”
She also said companies that manufacture these devices should bear greater responsibility for security.
“Don’t make the default that if the customer doesn’t actually take the time to change [the password] then that means, actually, all this video footage is accessible,” she said. “Make the default the opposite, that the moment you buy a camera no one can access it.”
In 2015, Toronto police investigated an incident involving webcam hacking after someone sent a 27-year-old Toronto woman intimate photos of herself and her boyfriend watching Netflix taken via her webcam. A separate incident in southwestern Ontario that same year involved a family who had a terrifying ordeal when the camera monitoring their young child suddenly began playing music and a voice said they were being watched.
One of the companies, Defeway, Axis, Vivotek, whose products are most commonly listed as cameras being broadcast online was contacted and is taking steps to make things more secure.
In an email, a spokesperson for Vivotek said the company has updated its camera to require the user to enter a secure password.
“Our latest firmware released forces the customer to input unique login credentials, that follow the Security Hardening Guide,” the spokesperson said.
Axis and Defeway did not respond to a request for comment.
Digital experts offer information on what you need to know when buying a wireless surveillance system or web-connected device.
For Tobok, he sees the danger of careless digital security and what can happen. He warns Canadians to be proactive rather than reactive.
“We have seen a trend where bad guys are actually leveraging vulnerabilities in cameras to hold people ransom, businesses, and consumers,” he said. “Where they say, ‘Hey, I have this video of you. Pay me X amount of dollars and I’ll go away.’ When they say no, they publish it.”
Post Source: Global News