Last week several webcams at a Cape Breton school were discovered to be broadcasting publicly, and indexed by a search engine, at insecam.org. The camera was taken down after the incident was reported; but CBC’s coverage by Susan Bradley and Jack Julian leaves much to be desired.
(Privacy Commissioner) Tully said passwords need to be encrypted and the length of time images are kept should be limited so they are less likely to be accessed.
The recommended practice is to hash passwords not encrypt them. That being said this advice is inapplicable to the issue at hand; and doesn’t address the issue that the device was using the default password, as evidenced by the screenshot that says change password.
Charlene Chaisson, a parent of two children at thea school, spoke to CBC:
“All I can add is that although it’s my son in the image and it’s alarming, I don’t blame anybody for it happening. Things get hacked all the time and hopefully now the cameras are secure.”
Nothing was “hacked.” One can find default passwords for most devices online in aggregated list of passwords, or in the user manual for the device. In fact, the manual for the camera in question details how to password protect the camera feed, and explicitly says to set a password for security reasons.
CBC did talk with a cybersecurity expert:
Daniel Tobok, a cybersecurity expert in Toronto, said the problem of webcam images being streamed around the world is common…
… He blames the way the webcams are connected directly to the internet.
With the ever-impending migration to IPv6, more and more devices will be connected to the internet. The issue is not connecting devices to the internet. IP security cameras are designed to connect to the internet, and restricting it with a firewall, would have only resolved this issue by rendering the device inoperable at best, or limiting the exposure to the school’s own network at worst.
Not once in the article did the CBC or the cyber-security expert mention ‘changing the default password’ on devices, which in 2014 Infoworld ranked one of the Top 10 Colossal Security Mistakes.
Insecam.org’s FAQ does tell users both how to fix their camera, and provide users with information on removing their camera from their site.
Q: How to remove my camera from this site
A: If you want to leave your surveillance camera public accessible but want to remove it from this site send the URL of your camera to email from contacts section. But remember that your camera still will be available to all internet users that use surveillance camera search software and sites like Shodanhq.com .The only solution to make your camera private is to set up a password!
As of May 4, it was longer linking to the Cape Breton camera.
Kris Klein, a privacy lawyer in Toronto, had this to say:
You don’t know who was looking at them,” Klein said. “It’s not to say that they were necessarily doing anything wrong, it’s just the fact that they had their own personal image broadcast and made available to the public at large via these shady characters.
Appeal to emotion aside, the feed was available only because the school board’s own IT staff didn’t read the manual. With accurate reporting of the issue, one realises the school board employees that set up the camera, are the “shady characters” whom made the broadcast public.