Skip to content
Naked Security Naked Security

NCSC: Secure your webcams now

We don't want to see what you do behind closed doors, but lots of hackers would be happy to pull up a chair to view that video stream.

The UK’s £1.9 billion, five-year National Cyber Security Strategy has a lofty goal: it aims to make the UK “the safest place to live and work online.”
Well, it sure as shinola can’t do that if people are slathering internet-enabled cameras all over their homes without first changing default passwords.
That’s why the National Cyber Security Centre (NCSC) – a part of GCHQ – has published some tips on how to safely use all those easily hijacked internet-enabled cameras, be they tucked into your robot vacuum, smoke alarms, water bottles, USB power plugs, lightbulbs, thermostats, alarm clocks, wall clocks, clothes hooks, teddy bears, air fresheners, picture frames, wall outlets, baby monitors, home surveillance systems, smart doorbells, or, say, decorative bird statues glued to the bed’s footboard for purposes one assumes aren’t always quite wholesome.
It’s woefully easy to hack something with an unchanged default password – passwords that voyeurs and other creeps can find online and then use to hijack video streams and eavesdrop on us. It’s particularly alarming when those passwords are supposed to secure video streams of your life, your front door, your bedroom, your child, your belongings, or any other manner of footage streamed out from your most intimate moments.
Fortunately, excruciating bit by long-time-coming bit, the Internet of Things (IoT) is becoming more secure. Google recently announced that it would soon begin forcing users of its Nest gadgets to use two-factor authentication (2FA), for one. It was welcome news, as was Amazon’s move a week later to do the same with its Ring video doorbells.
“Change your webcam and baby monitor’s default passwords” was actually our Advent Tip No. 5 for December 2015, and it makes sense that it’s still on the list when it comes to securing webcams, given that they’re still getting hijacked 4+ years later.

Caroline Normand – Director of Advocacy for the UK consumer advocacy group Which? – said that following the NCSC’s guidance on securing webcams is particularly important, given a) all the security flaws that keep popping up in cameras and children’s toys, and b) the fact that we’re still waiting for laws that will ensure that smart devices are safe:

Until new laws are in place, it is vital that consumers research smart device purchases carefully, and follow guidance to ensure their devices are protected by strong passwords and receiving regular security updates to reduce the risk of hackers exploiting vulnerabilities.

Digital Infrastructure Minister Matt Warman has introduced laws that will address this mess in the future. They’ll require that:

  • Device passwords must be unique and not resettable to any universal factory setting;
  • Manufacturers must provide a public point of contact so anyone can report a vulnerability, and
  • Manufacturers and retailers must state the minimum length of time for which the device will receive security updates.

Here are the three tips from the NCSC, with a sprinkling of our own advice:

1. Change your webcam’s default password to a secure one

It’s easy to do with the app you use to manage the device. NCSC recommends stringing together three random words that are easy for you to remember and using the blob as a password. If you want to see a quick video on how to do it right, we’ve got you covered:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

And if a website gives you the option to turn on two-factor authentication (2FA or MFA), do that too. Here’s an informative podcast that tells you all about 2FA, if you’d like to learn more:


(Audio player above not working? Download MP3 or listen on Soundcloud.)

2. Regularly update your security software

Not only does this keep your devices secure, but it often adds new features and other improvements, the NSCS says. On Safer Internet Day a few weeks ago, Paul Ducklin had this to say about the importance of updating your software:

Most software patches these days aren’t just cosmetic – they typically close security holes that could let crooks sneak in without you even realizing. So if you don’t patch, you’re much more likely to encounter a crook, because lots of attacks will succeed against you when they’ll fail against everyone who has patched.
So why leave yourself in the at-risk group if you don’t need to?
Remember, however, it’s not just your laptop that needs patches these days – you also need to keep your eye out for updates for your apps, your phone, your home router, and any of those cool “connected devices” you might have, such as internet doorbells, webcams and home assistants.

3. Turn off your webcam’s internet-enabled remote access if you don’t use it

There’s a three-letter word that says it all when it comes to how dangerous remote access can be: RAT, short for Remote Access Trojans. It’s malware that makes it possible for a crook to turn on your webcam remotely.
Indeed, in a high-profile criminal case back in 2014, Jared James Abrahams, a college student in California who was studying computer science, was sentenced to 18 months in federal prison for spying on women via their webcams. Abrahams pleaded guilty to hacking and extortion charges relating to 150 women, including Miss Teen USA, Cassidy Wolf, who went public about the threats made against her.
(By the way, Wolf also said that she had a risky habit of using the same password everywhere, which may well have been how she got attacked and infected in the first place. So if the previous security tips didn’t already convince you to beef up your passwords and stop reusing them, now’s a good time to change yours and make all of your passwords unique!)

Latest Naked Security podcast


Click-and-drag on the soundwaves below to skip to any point in the podcast. You can also listen directly on Soundcloud.


Recently we bought 2 HP servers and their iLO remote management devices have “unique” default password (printed on a label). I think all manufacturers should follow this path.


Great points on how to secure your webcam. Personally, I unplug my camera when not in use, however see for people who are frequently on Skype or doing conferences how if this is not practical, use every available option to prevent a hacker from viewing your camera. Best, Darren Chaker


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!