In the physical world everyone applies basic security principles such as closing and locking doors when leaving their home. We are, in the most, security conscious and the majority of us wouldn’t knock on the door of a con man and start a conversation. It’s also true we have a good understanding of what makes our world safe, such as fitting a car alarm, or, carrying a personal safety alarm. In the digital world we seem to loose these basic instincts and brazenly click link after link, trusting that we’ll end up in a safe place. Unfortunately, many innocent looking websites are acting for the forces of evil and it is not always obvious this is the case.
Let me tell you a story. A husband and wife give birth to a beautiful child. The husband works away a lot, and comes up with the idea to purchase a web cam which they can place in the babies room, allowing the husband to see his beautiful child over the Internet wherever his is. Of course, the web cam will only allow the farther to connect and view the footage. This use of technology this way is amazing. Connecting a family regardless of geographic distance is a great achievement.
The thought of anyone else prying into their babies room would send shivers down anyone’s spine. Do we really trust the web cam manufactures and Internet service providers? What if they make a mistake and anyone can access the camera, unknown to the parents! This thought is intended to provoke and shop, and I would expect some to label me a scaremonger. Unfortunately, the truth is that this scenario has already happened.
For some time a web cam produced by Trendnet has been sold to the general public which exposes it’s video stream to anyone on the Internet. Of course Trendnet have not done this on purpose. Somewhere in their quality control system they have missed the fact that the product does this. To counter this major problem Trendnet issued a new version of firmware. This can be used by the owners of the hardware to fix to the cameras. Sadly, most of those who purchased the camera are unaware of the problem, thus, they have no clue they have to apply the fix.
Last week the following website attempted to spread the word that hundreds of thousands of these cameras are still exposing their streams over the Internet. Using Google’s mapping tools they published the following @ http://cams.hhba.info/:
Each pin in the map represents a web cam that suffers from this problem. Clicking the pin allows you to connect to the camera. Very, very scary! Thankfully, Google revoked the sites access to their mapping tools and the site stop. However, a list of addresses to connect to each has been publicly published at pastebin.
What can we do?
Publishing this list is a double edged sword. It primarily raises awareness, allowing the IT aware of us to check whether our friends and family have this camera and if so apply the new firmware to stop the flaw. The downside of this, is that it lets the world, including the underworld connect to and watch.
To prevent this in the future we need to educate. We need people to understand what they are buying and that they need to be responsible for it. When I say responsible, I mean they need to subscribe to the manufactures security mailing list or newsletters and react based on manufacturer’s recommendations. If consumers do not understand how to configure the cameras to be secure then enlist and IT expert! We wouldn’t try to fix our own cars if we knew nothing about about mechanics, so why do we do this in the IT sector? Security it not easy!
The industry should also take responsibly . If we look at the automotive industry, many of them have recalled an entire production line of cars dues to flaws. They contact the owners and act as one would expect.
We can improve; but, we need to move together. So let’s spread the word.