Site exposes security weakness in thousands of webcams

You have been warned: a default password is as bad as no password at all.

Whether you are chatting on a webcam or relying on a web-enabled security camera to keep your home safe, a strong password is needed to keep out prying eyes and ears. The password should be unique to you and contain enough alphanumeric characters to make it difficult to guess or hack.

But as CNET reports, well-known security camera companies like Foscam, Linksys and Panasonic pre-program simple logins like "admin" or "1234" for use during the initial setup, instructing users to change the passwords later. Unfortunately, many consumers never do change that password.

Insecam, a site which says its mission is "to show the importance of the security settings," is taking itself very literally by broadcasting the live feed of every webcam retaining its default password in the world on its site. According to CNET, there is no indication that they've actually told any of these people that they're doing this.

screen-shot-2014-11-11-at-11-01-16-am.png
Insecam streams video from tens of thousand of poorly protected video cameras set up around the world. Insecam/CNET

CNET's Bridget Carey says, "this is something that is a little creepy."

Insecam is streaming more than 9,800 cameras in the U.S., nearly 2,500 in the U.K., over 6,500 in South Korea, and thousands scattered over more than a hundred other countries. The streams include latitude and longitude markers identifying the location, along with a helpful link to Google Maps. Carey told CBS News that the site "is streaming over 73,000 of these webcam images from people's private homes because they never changed their password."

Insecam says webcams will be automatically dropped from the site if the owners just change their password, and the number of U.S. cameras being streamed is already down by several thousand so far today.

Insecam video from France
Insecam video from France. Insecam streams video from tens of thousand of poorly protected video cameras set up around the world. Insecam

Foscam COO Chase Rhymes told Motherboard that the company has updated its security protocols so users must immediately pick a new login. CNET reports that the Foscam Plug and Play Wireless IP Camera FI9826P does now force the user to update the password right away. Other companies, such as Dropcam and Samsung, make you register with your own username and password up front.

Carey warns, "This guy who made this website is showing that look, I can tap into all these homes because all these people still have 'admin' as their password! And these people don't know. That's what is really scary here."

Featured in SciTech