A Russian-run website, which purports to show content from unsecure webcams around the world, has been drawing derision from Britain to Australia. But while officials talk of shutting down the site, its owner has defended it – claiming that it was meant to show the vulnerability of webcams and the importance of defending data with passwords.
Insecam.cc has been live since September. But web watchdogs were alerted today when Reddit users began posting screenshots from its thousands of feeds, while commenting on their content. Some have even reposted images of people masturbating and sex workers.
Within hours authorities from Europe to the Far East were voicing their concerns at the ‘hack’, claiming that it circumvents privacy laws and even plays into the hands of paedophiles. “The website supports and publishes massive criminal invasions of privacy on a worldwide scale,” Alexander Dix, Berlin commissioner for data protection, told Red Herring. “The Russian government should act immediately to stop this.”
Britain’s information commissioner, Christopher Graham, also urged Russian authorities to shut down Insecam, claiming that he would be working alongside the US Federal Trade Commission (FTC) if necessary. “We now want to take very prompt action working with the Federal Trade Commission in the States to get this thing closed down,” he said.
Today 15 EU nationals were arrested in an operation by Europol to combat the use of remote access Trojans (RATs) to hack webcams.
However, speaking today to Red Herring via a series of email conversations, Insecam’s administrator stressed that there was no hacking involved at Insecam, which instead targets web-connected cameras with low-strength or no password. “I use (a) networks scanner to collect cameras,” the admin said. “Now only cameras without passwords are available on the site. They are not hacked! But there are millions of public cameras in the world which are not easy available to embed on the site.
“I had a database of 160,000 cameras with default passwords,” added the admin, who vowed to shut down any ‘unethical’ feeds manually. “About 110,000 became unavailable because of changed passwords by owners. It is a good result. These people were watched for a many years and now they got a chance to know about the problem.”
“My advice? Only two words: SET a PASSWORD!”
Many commentators have noted authorities’ and the media’s eagerness to equate the site’s origin with hackers. ValueWalk’s Michael Ide claims that most reports are “playing into both privacy fears and Russophobia at the same time…the website appears to be more of a public service announcement than an actual attempt to spy on people.”
Indeed, the website’s introduction text states: “This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.”
That will do little to persuade privacy advocates worldwide from calling for Insecam’s closure. “I am not an expert in Russian law, but from an international perspective this website is flagrantly violating the human rights to privacy and family life,” said Berlin’s Dix.
Insecam is registered with DomainsByProxy.com, a wing of GoDaddy.com that allows clients anonymity. However, the website is registered with a domain name in the Australia-administered Cocos Islands. And as international authorities have no jurisdiction in Russia, there is very little they can do aside from highlighting the importance of web security.
“Changing preset passwords is the first and most simple measure anyone can take,” said Dix. “However, I would go further to call on manufacturers of webcams – and indeed other gadgets such as routers – not only to encourage users to change the preset password but also to design the technology in such a way that you can only use it after you have changed the preset “one-time” password.
“Furthermore I would recommend that webcams are designed to use protected (encrypted) communications channels like virtual private networks, which would protect the images transmitted online from outside attackers who may have broken the password,” he added. “Encryption should be the default setting. This would increase the protection.”