Cybersecurity IoT

50,000 IoT Home Cameras Allegedly Hacked

Some Footage Even Published on Adult Websites with Cybercriminals Providing Unlimited Access for $150

This article is of paramount importance considering the FBI’s recently issued recommendations concerning IoT (Internet-of-Things) home security devices, especially those with voice and video features, and the fact that this month is National Cybersecurity Awareness Month.

A hacker group reportedly breached over 50,000 home security cameras before stealing private footage and posting some online. Although a significant amount of the videos appears to have originated from Singapore, numerous people residing in Thailand, South Korea, and Canada seem to have had their privacy invaded as well.

Some of the aforementioned videos, ranging from 1 to 20 minutes long, reveal individuals of all ages in compromising positions or different levels of undress uploaded to adult websites.

*The New Paper, which released the news, quoted the undisclosed hacker collective as declaring that it has shared the clips with 70+ members who paid $150 for unlimited access to the collection. The group, who regularly communicates on the instant messaging application Discord, has almost 1,000 members that supposedly specializes in hacking security cameras.

To lend extra credibility to their claims, the collective is offering a free sample containing 700 megabytes worth of data comprising over 4,000 clips and pictures. They are also reportedly willing to share access to all hijacked cameras with fellow members. Moreover, “VIP members” with voyeuristic tendencies will be treated to a course on how to “explore, watch live and record” hacked cameras, which could mean that the number of private videos could grow over time.

“As worrying as it may seem, this comes as a clear reminder that when cameras are placed on the Internet, they must be properly installed with security in mind. When smart devices, such as TVs, are set up, they are still regularly placed around the home with no second thought for privacy,” said ESET Security Specialist Jake Moore. However, he hopes that the incident will prompt people to take security precautions when setting up their smart cameras.

While details on how the cybercriminals were able to gain access to the cameras that are usually used to boost security or monitor minors are sparse, there are multiple plausible explanations for how the cameras were compromised.

Much like other devices, Internet-connected cameras are not immune to security vulnerabilities. For example, a few months ago British consumer watchdog Which? warned about 3.5 million cameras from around the world that were susceptible to hacking due to a set of security flaws. Last year, ESET researchers uncovered a series of vulnerabilities in a D-Link cloud camera that could have allowed attackers to tap into its video stream.

Poor password hygiene could be blamed for the hacks. Users may have stuck to the default password that was set up by the device manufacturer and would not be hard to obtain or guess for anyone with ill intentions. Other users may have underestimated the need for a strong and unique password or passphrase for a ‘mere’ IoT device.

Whatever the case, IoT security should not be underestimated as the use of smart devices has profound security and privacy implications. To save yourself from a privacy nightmare in the future, make sure that your IoT devices run the latest firmware version and any security patches are applied promptly. When choosing a password, try to avoid the cardinal sins of password creation. Whenever possible, secure your accounts with multi-factor authentication. If you are considering buying a connected device, instead of going for the cheapest option, choose a reputable vendor with a proven track record of manufacturing properly secured devices that they regularly update and patch during its lifecycle.