We Can See You Haven’t Changed Your Webcam Password

Seriously People, Change The Password Your Kit Ships With!
You would think with sites like Insecam.org being relatively well known that the lesson to change your webcam’s default password is at least as important as changing your default router password. Unless you are a serious exhibitionist, the chances are that you don’t want people watching you carry out your daily routine via your webcam but that is exactly what you are doing if you didn’t take that one simple step. There are enough hard coded passwords and architectural vulnerabilities in the IoS to worry about, without making it that easy for someone to watch you online.
Insecam is at least nice enough to check streams for private or unethical content before linking to them, and allow people to report any they missed for removal. They even tell you how to get off of their page; just change the default password on your camera! Unfortunately not everyone is quite so ethical, which is why it is a blessing we have white hats out there who will disclose successful breaches to webcam companies when they find them.
Case and point is the recent breach of 150,000+ Verkada webcams at a wide variety of hospitals, police stations and even Tesla for that matter. In this specific case it wasn’t even the users fault, Verkada left an admin account username and password available in plain text buried on their site. Armed with that password these hactivists were able to access all of their cameras. If you are curious, the user was admin and the password was the same one that could be used to unlock some very famous luggage.
It is hard as a user to protect themselves from the stupidity of a manufacturer but changing the password on your new nanny cam or doorbell is a first step.
Those cameras belonged to a whole host of organisations, according to the Bloomberg financial newswire, including: Tesla; Cloudflare; hospitals; police stations; prisons and, allegedly, more.
More Tech News From Around The Web
- This developer created the fake programming language MOVA to catch out naughty recruiters, résumé padders @ The Register
- There’s a vexing mystery surrounding the 0-day attacks on Exchange servers @ Ars Technica
- Lou Ottens, Inventor of the Cassette Tape, Has Died @ Slashdot
- Stadia Lets You Play People’s Screenshots @ Slashdot
- 3D Printer Air Compressor Is A Wankel @ Hackaday
- Blender 2.92 Linux & Windows Performance @ Techgage
- ASUS RT-AX68U Wi-Fi 6 Wireless Router @ Tweaktown
Thy wouldn’t have gotten compromised if they used 123456 instead. That 6 makes all of the difference; supercomputers would have spent decades trying to figure that out.
I install these on professional level and I’m not sure I’ve ever even heard of Verkada but it looks like they are relatively new and cloud based (NVR less) solution so that would explain why. Their market share is probably sub 1% and the only reason anyone takes notices of this is cause “cloud”.
Unsecured passwords aside cloud based security cameras sounds like awful idea in general and I can’t imagine anything like this would pass in health care environment.