CLEVELAND - Who's watching you?
2 Works for You sister station in Cleveland, 5 on your side, investigators uncovered thousands of cameras here in the United States that are supposed to be private but they're now open to all on the Internet.
We set out to see just how secure all of this video really is in your homes, in your schools, in your workplaces. What we found was an organization in Russia. It knows all about these cameras and it's exposing loopholes and directly violating the most private areas of your life.
We found a naked man roaming around his family room in Virginia. It wasn’t a porn site. It's someone's private camera hacked and being shown live on the Russian website that we are not naming.
How about medical procedures? We found a live operation in Missouri where you can see the needle coming out of the patient's face. Also, we saw a sleep clinic in Maryland where a man is wired for monitoring and then sleeping on camera live.
We located lots of children. Numerous daycare centers with tiny, innocent babies in Michigan; school-age children playing, laughing in their classrooms in Pennsylvania; and even a precious, young girl sleeping in her bed in Georgia. No outside eyes should be seeing this.
Then there were crib cams. They are the very thing that parents buy so we can keep an eye on our children; keep them safe from the outside world.
We tracked down a family on Cleveland's west side that had a camera in a baby's room. You could see mom and dad changing their newborn with the diapers, the baby blanket, and the little clothes. The family was so devastated by the idea that someone would livestream that to the whole world on the Internet that they've asked us not to show the video. So, we're not.
Despite the anger, frustration, and fear, the father was willing to talk to us. We'll call him “John". "It's like leaving your blinds open and a bunch of people looking in at you,” said the father who wants to remain anonymous. John told us it was “very unsettling” for the family to find out he and his baby were on the site.
That website claims it's making private cameras public because people are not changing the default passwords on their systems. “John” told me he was not thorough enough when using his camera. "I should have been very much more diligent about realizing that's a window into your home,” he told us.
We asked Cleveland State University Professor of Law and Cybersecurity Expert Candice Hoke about the video we saw. "If you were the parent of this child, what would you think?” we asked. “I would be scared," replied Hoke. "I would find it (violating) for myself and for any family member," she added.
Hoke put the blame not only on the hackers, but the companies making the cameras. "They’re putting that product out on the marketplace quickly and frequently they undercut the design and engineering process especially for security," she said. But she also blamed our government leaders. She's worked with the Department of Defense and Homeland Security. She said if the FDA has to approve drugs, then why is there no set of standards for security cameras. "The risks to American consumers and American businesses are substantial," Hoke told us.
When we found women in California changing their clothes for work, that’s a place where privacy is expected and should be protected. Candice said that kind of online protection is something the Federal Trade Commission wants oversight on. "The FTC has asked for years for direct authority to be able to issue rules for baseline cybersecurity and Congress has not authorized it,” she explained.
We continued our questions with another cybersecurity expert. "How easy is it to get into these systems?” we asked. “It can be very straight forward," said Ken Smith. He is an "ethical hacker" with SecureState which is a Cleveland company that touts itself as a global management consulting firm specializing in information security.
Smith took us into SecureState's "War Room" where they're paid to break sites and help find the holes in companies' or government agencies' systems.
He told me IP-based cameras started filling commercial needs but now the cameras are all over the place. Every day, more and more are in our homes, capturing our lives. Video is wildly popular. "They've had security issues in them since the devices' inception and because consumers are taking them now, all of those are starting to come to light," explained Smith.
The light is now on for a protective father. “John” gets it. He just wanted to keep his family secure, trying to do the right thing only to show up on a website. "You have to watch everything because anything connected to the Internet can obviously be accessed and probably pretty easily," said “John”.
We reached out to six of the top brands of cameras that the Russian website noted in its hacking:
Panasonic, Lynksys, Sony, TpLink, Foscam, and Axis. The only companies that responded were Lynksys and TP-Link.
They denied us an interview but sent these statements:
“In 2014, Linksys was made aware by various media sources of the ability to view older Linksys IP cameras’ live streams when hackers used the default password. As a result – Linksys stopped selling those older IP cameras and posted firmware updates to our website for all Linksys cameras that shipped with default passwords and did not force users to change these default passwords. However, if customers did not update the firmware or change their default password, they would still be susceptible to hackers using the default password that shipped with the cameras. We continue to urge customers to change their passwords on all their networking devices during setup and on a regular basis thereafter. Here is more information about how to change your camera password: http://www.linksys.com/us/support-article?articleNum=136632”
- How does this hacking happen with your cameras/systems?
These cameras have not been "hacked." The insecam.org site itself specifically states that all cameras in its collection are accessible because they either lack password protection or they use common/easily guessed passwords. All TP-LINK cameras feature password protection and the type of "hacking" that you have described can only occur if two specific conditions are met simultaneously. (1) The user must expose the camera by enabling one of the UPNP, PPPOE, DDNS, or DMZ functions, which are all disabled by default, and (2) the user must continue to use the default password or use a weak/easily guessed password.
If the user has set a strong, unique password or has not activated the UPNP, PPPOE, DDNS, or DMZ functions, this so-called "hacking" is impossible.
- What are you doing to let customers know that their cameras have vulnerabilities?
TP-LINK cameras do not have vulnerabilities. Consumers are choosing to open up their cameras to public viewership by enabling one of the UPNP, PPPOE, DDNS, or DMZ functions. We are crafting additional statements that explain the risks associated with selecting these settings and we constantly remind users to change default passwords during the set-up process.
- What have you done to help prevent this from happening to cameras you currently manufacture?
We have taken a number of steps to tighten security and prevent accidental intrusions. TP-LINK ensures that UPNP, PPPOE, DDNS, and DMZ functions are disabled by default on all of our camera products, meaning that one of these features must be activated by the user for the camera to be exposed. Also, as a matter of practice, we always strongly recommend that users secure their devices by creating strong, unique passwords for any TP-LINK product. Finally, we are developing a new access process that will force users to log-in with a unique username and password when accessing their camera feeds, moving forward.
- How long have you known about this problem?
While this particular website has only come to our attention within the past month, these general security concerns have been known for quite some time. This is why TP-LINK takes various steps to educate and limit the risks that our customers face. The company has disabled certain functions by default and strongly urges its customers to create strong, unique passwords for all devices. TP-LINK is also changing relevant access policies to ensure that users do not continue to use default passwords when setting up their cloud cameras.
- Have the vulnerabilities hurt sales?
We do not have any data that would suggest a significant or unusual trend in camera sales or that would demonstrate any causal relationship between these specific security concerns and sales of these product lines.
- Do you worry about liability in cases where people's private lives have been invaded?
We attach great importance to user privacy and the security of information. We already have a number of safeguards in place to protect our customers and we continue developing new ways to keep our users and their information as safe as possible. Caring for our customers and providing them with adequate security, while offering the best user experience has always been our top priority and will continue to be, moving forward.
So, one of the the biggest messages for you at home is to change your default settings and make strong passwords. That will help in the fight against hackers.