A few years back, a site that made extremely dubious white-hat claims about pointing out the dangers of not changing default passwords on IP cameras was corralling live streams, allowing strangers to spy on the feeds coming from baby monitors and security webcams in bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.
Reporters at the Daily Mail who watched footage said they viewed babies in cots, a schoolboy playing on his computer at home in North London, another boy asleep in bed, the inside of a Surrey vicar’s church changing room, an elderly woman relaxing in an armchair, and two men in a kitchen sharing a meal.
That’s old news, dating to 2014. Unfortunately, despite the regularly issued advice to change default passwords on these devices and calls for manufacturers to make them secure from the get-go, little has changed.
On Friday, the UK’s data watchdog – the Information Commissioner’s Office (ICO) – posted on its blog that we’re still seeing people and device makers commit the same mistakes: namely, people don’t secure these gadgets, and manufacturers aren’t incorporating adequate security into their products.
When Ars Technica contacted the ICO, it declined to name whatever sites it’s spotted offering these live streams.
But a spokeswoman told Ars that as it is, you don’t need an intermediary website to spy on people, given that you can directly connect to them. After all, they’re easily findable with search engines.
Ars quotes her:
With reports of many billions of IoT devices due to be connected by 2020, this is a problem that needs to be addressed now. We wouldn’t recommend any specific models but would advise consumers to follow our tips when purchasing and setting up an IoT device.
Even the most secure device can be subject to unauthorised access if the username and password was set to, or left as, admin.
Unsecured Internet of Things (IoT) devices pose more threats than just privacy invasion, noted the ICO’s Simon Rice, Group Manager for Technology.
Using connected gadgets that aren’t secured opens us up to the possibility that our private information is also susceptible to being exposed, he said.
A lack of security when it comes to IoT devices could mean that a search engine is used by criminals to locate vulnerable devices and then gain access to them or others on your home network.
An attacker could then use your equipment to mount attacks on others or take your personal data to commit identity fraud.
We know of one IoT gadget search engine in particular that keeps popping up in headlines: it’s called Shodan.
Shodan crawls its way around the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results.
It’s bad enough that everyday objects – things like kettles, TVs and baby monitors – are getting connected to the internet with elementary security flaws still in place.
But the fact that they’re easily discovered via a search engine like Shodan makes the situation even worse.
We can’t hold consumers responsible for all of these unsecured connected devices. As it is, manufacturers could do more: they could, for example, ship devices with passwords that are unique to each device. They could also manufacture devices that require password changes upon installation.
The ICO spokeswoman said that manufacturers should “subject IoT devices to a robust security test before launch and for every subsequent firmware update.”
Ars quotes her:
They also need to commit to supporting devices for a reasonable length of time following launch and act quickly on reports of security vulnerabilities. They should also make the devices ‘secure by default’ and make the user interface intuitive.
Security should not be left up to the individual to configure the device through a difficult to navigate user interface.
The ICO’s Rice says that the office is, in fact, continuing to work with manufacturers on how to improve the situation.
That doesn’t let consumers off the hook, though, he said. If people don’t protect themselves and their families when using these devices, they might find personal files easily accessible through popular search engines, casual browsing or the efforts of determined attackers.
The ICO handed out these basic tips on how to be safer when using IoT devices:
- Research the most secure products before buying. For example, some mobile phones have never, and will never, receive security fixes.
- Secure your router with a strong password. Some routers don’t even use a password, while some rely on a default password that’s easy to guess. Here’s how to cook up a strong one.
- Secure the device by changing its default user name and password. The ICO notes that default credentials for many devices are freely available on the internet and can be located with ease. Again, choose a strong password, and make sure it’s unique. As it is, there are tools that automatically sniff out reused credentials, making it even easier to get into all the sites where you’ve reused the same password..
- Check manufacturers’ sites for known security vulnerabilities. Don’t leave vulnerabilities on the back burner: make sure to update the software in a timely manner.
- Don’t just plug and play. Instead, take the time to read the manual: there might be extra security and privacy options available.
- Use two-step authentication (2FA) whenever possible. 2FA isn’t infallible, but it’s damn good at keeping crooks out of your accounts, even if they pilfer your username and password.