Amer Owaida, Security Writer at ESET explains that thousands of home security cameras were reportedly hacked and some of the footage has already appeared on adult sites, with cybercriminals offering lifetime access to the entire loot for US$150.
A hacker collective claims to have breached over 50,000 home security cameras before going on to steal people’s private footage and post some of it online. While a considerable portion of the videos seems to have come from Singapore, a number of people living in Thailand, South Korea, and Canada also seem to have their privacy invaded.
Some of the videos – which range from one to twenty minutes in length and show people of varying ages in compromising positions or various stages of undress – have been uploaded to porn websites.
The New Paper, which broke the story, quoted the unnamed hacker group as saying that it has shared the clips with over 70 members who paid US$150 for lifetime access to the loot. The gang, whose group on the instant messaging app Discord has nearly 1,000 members, reportedly specializes in hacking security cameras.
To lend extra credence to their claims, the collective is offering a free sample containing 700 megabytes worth of data comprising over 4,000 clips and pictures. They’re also reportedly willing to share access to all hijacked cameras with fellow members. Moreover, “VIP members” with voyeuristic tendencies will be treated to a course on how to “explore, watch live and record” hacked cameras, which could mean that the number of private videos could grow over time.
“As worrying as it may seem, this comes as a clear reminder that when cameras are placed on the internet, they must be properly installed with security in mind. When smart devices are set up, they are still regularly placed around the home with no second thought for privacy,” said ESET Security Specialist Jake Moore. However, he hopes that the incident will prompt people to take security precautions when setting up their smart cameras.
While details on how the cybercriminals were able to gain access to the cameras that are usually used to boost security or monitor minors are sparse, there are multiple plausible explanations for how the cameras were compromised.
Much like other devices, internet-connected cameras aren’t immune to security vulnerabilities. For example, a few months ago British consumer watchdog Which? warned about 3.5 million cameras from around the world that were susceptible to hacking due to a set of security flaws. Last year, ESET researchers uncovered a series of vulnerabilities in a D-Link cloud camera that could have allowed attackers to tap into its video stream.
Poor password hygiene could be blamed for the hacks. Users may have stuck to the default password that was set up by the device manufacturer and wouldn’t be hard to obtain or guess for anyone with ill intentions. Other users may have underestimated the need for a strong and unique password or passphrase for a ‘mere’ IoT device.
Whatever the case may be, IoT security should not be underestimated as the use of all sorts of smart devices has profound security and privacy implications. To save yourself from a privacy nightmare in the future, make sure that all your IoT devices run the latest firmware version and any security patches are applied promptly. When choosing a password, try to avoid the cardinal sins of password creation.
Whenever possible, secure your accounts with multi-factor authentication. If you’re considering buying a connected device, instead of going for the cheapest option, choose a reputable vendor with a proven track record of manufacturing properly secured devices that they regularly update and patch during its lifecycle.