Lately, PC users have been at risk of being spied on through unsecured webcams courtesy of a new service being offered by Internet of Things search engine Shodan. According to local cyber security experts, unsuspecting users of webcams are having their privacy disturbed by people finding their cameras listed via the new type of search engine.
This recently added service allows the US-based Shodan’s users around the world to view screenshots posted on its site of people conducting their daily affairs at home, in the office or any place where unsecured closed-circuit television cameras or external webcams are in place.
According to Ars Technica, webcams are vulnerable to prying eyes because there is no password authentication, despite the devices using Real-Time Streaming Protocol, which allows for recording, media stream control and even device control.
In 2015, universities in Hong Kong were struck by an unprecedented wave of cyber attacks while overall cybersecurity incidents in the territory increased by 43% compared to 2014.
In the meantime, an attack on Hong Kong-based educational toy maker Vtech left over six million children’s profiles exposed and was billed as the worst cybersecurity breach in the Asia-Pacific region of the year.
In August, thousands of HongKongers were outed when pro-infidelity dating website Ashley Madison was hacked and the details of around 37 million accounts dumped online.
Despite not being listed among Shodan’s primary customers, one of the chief concerns is that the service is open to everyone including hackers, terrorists and anyone with malicious intentions.
According Michael Gazeley, a Hong Kong-based cybersecurity expert and managing director of security firm Network Box, the information on Shodan could be exploited for malicious purposes.
For instance, paedophiles could use the information available to hack devices such as child monitors in a bid to make contact with young kids, Gazeley said.
Shodan also offers information on seemingly innocuous gadgets, for example the IP address and location of an unsecured network printer in a newspaper office. This means that users of the website could use it to locate vulnerable devices, hack into them and have access to previously printed or even classified documents.
Due to the fact that many unsecured webcams do not offer a password option, Gazeley suggested setting up a managed security server at home. This can close off as many security holes as possible and put firewalls in place to ensure security is not compromised. Gazeley also pointed out that companies may also be held remiss for selling devices with usernames or passwords that are hard-coded into the gadget. While this can make life easier for the consumer, it also makes it impossible for them to replace what they have with a more complex password.
Bryce Boland, chief technical officer for Asia Pacific at security firm FireEye, also called for manufacturers to step up their device security.
The Hong Kong’s Privacy Commissioner for Personal Data Stephen Wong Kai-yi, told the Post that users who access images and information on Shodan for malicious use would be infringing on the Data Protection Principles set out in Hong Kong’s Personal Data Ordinance. He gave the example of compiling information to identify individuals who may not wish to be identified, or gathering data without notifying the authorities. Wong also shared some general tips on Data Privacy Day via Facebook.
Facebook, which has 1.55 billion monthly active users, also urged users to review their privacy settings.
“If you haven’t gone through Facebook’s Privacy Checkup lately (or ever), this is a must-do now,” it said in a mass email.
“Click on the little lock symbol at the upper right hand corner of your Facebook feed. Privacy Checkup should be at the top of the drop down menu, with a little blue dinosaur right next to it,” it said. “When you click on that, it walks you through the top three tools to
manage who sees what via your posts, apps, and profile,” Facebook added.
Despite the fact that the services offered by Shodan are not technically illegal, Stephen Wong sent out a warning to would-be hackers by saying that anyone who has their data privacy infringed with malicious intent has legal recourse to prosecute those responsible, according to the Ordinance. These offences are punishable in Hong Kong by a sentence of up to two years in prison or a maximum fine of HK$50,000 (US$6,420).