Who is watching your security cameras?

Posted at 11:10 PM, Feb 10, 2016
and last updated 2016-02-12 07:09:46-05

Who's watching you? The 7 Investigators uncovered thousands of cameras here in the United States that are supposed to be private, but they're now open to all on the internet.

We set out to see just how secure all of this video really is in your homes, in your schools, in your workplaces.

What we found was an organization in Russia. They know all about these cameras and they're exposing loopholes and directly violating the most private areas of your life.

We discovered images from a live video stream from inside a day care in Detroit, as well as a day care in Ann Arbor.  We found a live feed from an office in Southfield, a construction site in Detroit, and a shot of someone’s dog in Macomb.

The live streaming video is from private cameras that have been hacked, and that video is now being shown live on a Russian website (which we are not naming).

The website claims that they’re making private cameras public because people are not changing the default passwords on their IP camera systems.

“We’ve had a tremendous amount of credit card fraud out of Russia and China and these other countries. Do they have other motives? Or are they just playing a game and nobody really knows,” said
Ned Timmons, a retired FBI agent who now runs a security consulting company in Walled Lake.

Timmons says this happens with these IP cameras, which are used to send data over the web to your smartphone or tablet, because no one changed the manufacturer’s security code when the cameras were installed.

“People should use a bank-type security code which includes, capital letters, small letters and numbers in that code,” said Timmons.

We found people and businesses all across the country not following that advice, including a naked man roaming around his family room in Virginia. 

How about medical procedures? We found a live operation in Missouri where you can see the needle coming out of the patient's face. Also, we saw a sleep clinic in Maryland where a man is wired to be monitored and then he’s seen sleeping on camera live.

We located lots of children. Numerous daycare centers with tiny, innocent babies in Michigan; school-age children playing, laughing in their classrooms in Pennsylvania; and even a precious, young girl sleeping in her bed in Georgia.

No outside eyes should be seeing this.

Then there were crib cams. They are the very thing that parents buy, so we can keep an eye on our children; keep them safe from the outside world.

One man was so devastated by the idea that someone would livestream his infant to the whole world on the Internet that he asked us not to show the video.

"It's like leaving your blinds open and a bunch of people looking in at you,” said the father who wants to remain anonymous.

He told us it was “very unsettling” for the family to find out he and his baby were on the site.

"I should have been very much more diligent about realizing that's a window into your home,” he told us.

"I would find it (violating) for myself and for any family member," said Candice Hoke, a Cleveland State University Professor of Law and Cybersecurity Expert.

Hoke puts the blame not only on the hackers, but the companies making the cameras. 

"They’re putting that product out on the marketplace quickly and frequently they undercut the design and engineering process - especially for security," she said. 

But she also blamed our government leaders.  She's worked with the Department of Defense and Homeland Security. She said if the FDA has to approve drugs, then why is there no set of standards for security cameras.

"The risks to American consumers and American businesses are substantial," Hoke told us.

We even found a live stream of women in California changing their clothes for work, which is a place where privacy is expected and should be protected.

Candice said that kind of online protection is something the Federal Trade Commission wants oversight on. 

"The FTC has asked for years for direct authority to be able to issue rules for baseline cybersecurity and Congress has not authorized it,” she explained.

We reached out to six of the top brands of cameras that the Russian website noted in its hacking:
Panasonic, Lynksys, Sony, TpLink, Foscam, and Axis. The only companies that responded were Lynksys and TP-Link.

They denied us an interview but sent these statements:

In 2014, Linksys was made aware by various media sources of the ability to view older Linksys IP cameras’ live streams when hackers used the default password.   As a result – Linksys stopped selling those older IP cameras and posted firmware updates to our website for all Linksys cameras that shipped with default passwords and did not force users to change these default passwords.  However, if customers did not update the firmware or change their default password, they would still be susceptible to hackers using the default password that shipped with the cameras.  We continue to urge customers to change their passwords on all their networking devices during setup and on a regular basis thereafter. Here is more information about how to change your camera password:

TP-Link response:

- How does this hacking happen with your cameras/systems?

These cameras have not been "hacked." The site itself specifically states that all cameras in its collection are accessible because they either lack password protection or they use common/easily guessed passwords. All TP-LINK cameras feature password protection and the type of "hacking" that you have described can only occur if two specific conditions are met simultaneously. (1) The user must expose the camera by enabling one of the UPNP, PPPOE, DDNS, or DMZ functions, which are all disabled by default, and (2) the user must continue to use the default password or use a weak/easily guessed password.  
If the user has set a strong, unique password or has not activated the UPNP, PPPOE, DDNS, or DMZ functions, this so-called "hacking" is impossible.

- What are you doing to let customers know that their cameras have vulnerabilities?

TP-LINK cameras do not have vulnerabilities. Consumers are choosing to open up their cameras to public viewership by enabling one of the UPNP, PPPOE, DDNS, or DMZ functions. We are crafting additional statements that explain the risks associated with selecting these settings and we constantly remind users to change default passwords during the set-up process.

- What have you done to help prevent this from happening to cameras you currently manufacture?

We have taken a number of steps to tighten security and prevent accidental intrusions. TP-LINK ensures that UPNP, PPPOE, DDNS, and DMZ functions are disabled by default on all of our camera products, meaning that one of these features must be activated by the user for the camera to be exposed. Also, as a matter of practice, we always strongly recommend that users secure their devices by creating strong, unique passwords for any TP-LINK product. Finally, we are developing a new access process that will force users to log-in with a unique username and password when accessing their camera feeds, moving forward.

- How long have you known about this problem?

While this particular website has only come to our attention within the past month, these general security concerns have been known for quite some time. This is why TP-LINK takes various steps to educate and limit the risks that our customers face. The company has disabled certain functions by default and strongly urges its customers to create strong, unique passwords for all devices. TP-LINK is also changing relevant access policies to ensure that users do not continue to use default passwords when setting up their cloud cameras.

- Have the vulnerabilities hurt sales?

We do not have any data that would suggest a significant or unusual trend in camera sales or that would demonstrate any causal relationship between these specific security concerns and sales of these product lines.

- Do you worry about liability in cases where people's private lives have been invaded?

We attach great importance to user privacy and the security of information. We already have a number of safeguards in place to protect our customers and we continue developing new ways to keep our users and their information as safe as possible. Caring for our customers and providing them with adequate security, while offering the best user experience has always been our top priority and will continue to be, moving forward. 

One of the biggest messages for you at home is to change your default settings and make strong passwords. That will help in the fight against hackers.