Seriously People, Change The Password Your Kit Ships With!
You would think with sites like Insecam.org being relatively well known that the lesson to change your webcam’s default password is at least as important as changing your default router password. Unless you are a serious exhibitionist, the chances are that you don’t want people watching you carry out your daily routine via your webcam but that is exactly what you are doing if you didn’t take that one simple step. There are enough hard coded passwords and architectural vulnerabilities in the IoS to worry about, without making it that easy for someone to watch you online.
Insecam is at least nice enough to check streams for private or unethical content before linking to them, and allow people to report any they missed for removal. They even tell you how to get off of their page; just change the default password on your camera! Unfortunately not everyone is quite so ethical, which is why it is a blessing we have white hats out there who will disclose successful breaches to webcam companies when they find them.
Case and point is the recent breach of 150,000+ Verkada webcams at a wide variety of hospitals, police stations and even Tesla for that matter. In this specific case it wasn’t even the users fault, Verkada left an admin account username and password available in plain text buried on their site. Armed with that password these hactivists were able to access all of their cameras. If you are curious, the user was admin and the password was the same one that could be used to unlock some very famous luggage.
It is hard as a user to protect themselves from the stupidity of a manufacturer but changing the password on your new nanny cam or doorbell is a first step.
Those cameras belonged to a whole host of organisations, according to the Bloomberg financial newswire, including: Tesla; Cloudflare; hospitals; police stations; prisons and, allegedly, more.