Webcam, I gotta tell ya: this is not the way to sweet-talk a random woman into cyber-rubbing up against you:
What did that person see from me? My house, my personal effects..
During dinner, I was amazed at a friend of mine who wondered how this was possible.. We decided to put the camera down 1 times with the lens to the wall. Would there be any response?
In 1 minutes, it was hit…
– hello
– Do you speak French?
I’m sorry.
– Do you speak French?
Me, no, englisch!
………
lk: What did you do?
– it’d good?
lk: no!
Get the f*** out of my house, now!
Shut the f*** off!
– I don’t know?
lk: shut the f*** out of my house, go away!
– hello, miss!
Me, yeah, f*** you!
– ohhhhhhh s*** – my d***!We pulled the plug and pt the camera back in the box..
Crying, upset..
My privacy, my house, my personal stuff and myself… I’m scared.. terrified.
That suave chat is a translation of what webcam owner and shocked F-bomb flinger Rilana Hamer, of the Netherlands, related in a 1 October Facebook post.
Hamer says that a month or two ago, she picked up a Wi-Fi enabled camera to keep an eye on the house. Most particularly, to keep an eye on her puppy, who has a penchant for turning everything upside down. She bought the device at Action—a local discount-chain store that mostly sells low-budget convenience utilities.
So there she was, putting away her groceries, cleaning, singing as she went about her chores, when she heard a “rumbling” from the living room.
She went to check on the noise and it was the camera, swiveling around. Her phone, which she uses to control the webcam, was on her bed.
Huh, she thought, it must be updating, so she went back to what she’d been doing. But that’s when the hacker who’d taken control of the webcam decided to ramp up the interactive aspect of his creepiness with a greeting:
Bonjour, madame!
The camera was moving back and forth. Hamer moved back and forth, and it followed her. Then, it asked her if all was well with her:
Bonjour madame, tout bien avec vous?
Understandably enough, Hamer was freaked out. She ran to the camera, pulled out its plug, and threw it in a box. From her Facebook post:
I was full of fear and thought I was crazy. I’m being watched, but for how long? What has that person seen from me? My house, my personal possessions…
What restraint! I would have crushed it like a bug.
Over dinner, a friend wondered how it was possible. She and Hamer decided to plug the camera in again, this time with the lens to the wall and a camera phone on hand to record its actions (the video of the encounter is on Hamer’s Facebook post).
It only took a minute before her chatty hacker was back—well, if not the bonjour guy, then another guy, who knows? This time, it tried out its Google Translate Spanish:
Hola, señorita.
The conversation cited above unfurled, ending with the charming invitation to, well, go on a date, or something.
Whenever stories like this emerge we ask ourselves: is it real or could it be a hoax? The truth is we don’t know, but our instinct is that it’s real. As we mulled what little evidence we have, we agreed that the “suck my d*ck” at the end sounded more like the stock response of a socially inept adolescent being rebuffed than something scripted.
It wouldn’t be the first time that an unsecured webcam has started swivelling around on its own, nor the first time somebody’s privacy has been invaded by an idiot spitting base insults through one.
Sadly there are people out there who get a kick out of spying on strangers and there is a trove of easily discovered, poorly secured cameras for them to peek through.
In fact, there are sites where e-marauders can choose from a variety of feeds being pirated from devices. In 2014, we wrote about a site that offered feeds from baby monitors in nurseries, as well as from security webcams delivering live feeds from bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.
There is also Shodan, a search engine for the IoT (Internet of Things). Shodan makes it easy to find connected devices of all kinds, including vulnerable cameras, and it puts the most recently connected devices at the top. Perhaps Hamer was just the first accessible target in a lurker’s search results.
If you have a webcam, make sure it’s secure. If you can password protect it, choose a strong password. If it came with a default password, change it. IoT devices are notorious for shipping with default passwords that are easily discovered by crooks.
Assume that using a default password with an an internet-connected device is the same as using no password at all.
Gabriel JOHN
How would Sophos help?
Mark Stockley
By creating a popular website dedicated to computer security news, opinion, advice and research where we can say things like “please don’t rely on default passwords” :)
Seriously though… with a few exceptions Sophos products are aimed at securing businesses rather than homes, and in all situations, no matter how much kit you have installed, you need to practice defence in depth. That includes doing some basics like staying on top your patching and using strong passwords nobody else knows or can easily guess.
One of the exceptions to the otherwise business to business portfolio is the XG Firewall Home edition which probably could have helped. It’s awesome, but something of a project to set up. It’s essentially a business grade firewall without its shiny box that’s been made available for free.
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
An easier option would be to look at our 7 tips for securing the Internet of Things:
https://nakedsecurity.sophos.com/2016/03/07/7-tips-for-securing-the-internet-of-things
Browser
Does Sophos have a page that details the differences between the Home Editions of both XG Firewall and UTM?
Also, thanks for the article.
Paul Ducklin
Here are two pages you can start from…
https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx
https://www.sophos.com/en-us/products/free-tools/sophos-utm-home-edition.aspx
ccharles_03@hotmail.com
it is was a smart device connected to her Wi-Fi, wouldn’t a hacker have to crack her Wi-Fi before they could connect to devices on the network?
BT
No they wouldn’t, the webcam connects to a server which goes to her mobile which means it is open to the internet and chatting.
Mahhn
I wonder if that means that the Service server could have been hacked and not just the webcam. If it was just the webcam being accessed, then there would be no need for the Service, and the safest way to set up would be with the free firewall – configured to block the cam, but use the VPN (that comes with the firewall) to access her internal network.
ejhonda
It can be as simple as trying the default credentials for the webcam. If the user hasn’t bothered to change them then you can remotely connect, simple as that.