A New Zealand infosec consultant on holiday with his family in Cork saved them all from being livestreamed by a hidden spycam in an Airbnb by a) being good and paranoid and b) knowing his way around a network scan.
You can see all seven of them smiling up at the webcam in this 1 April Facebook post from Nealie Barker.
That photo came from a camera camouflaged to look like a smoke alarm. The Barker family only discovered it was actually a spycam because, as Nealie told CNN, her husband, Andrew Barker, routinely runs scans of networks when they check into lodgings and sign on to the Wi-Fi networks.
Nealie says that their first impulse was to call Airbnb. Talk about unhelpful. CNN quoted her:
They had no advice for us over the phone. The girl just said that if you cancel within 14 days, you won’t get your money back.
OK …and if you don’t pack up and vamoose, you get what? Your kids live-streamed on some creepster site, maybe? That’s certainly happened.
Next move: Andrew called the host. The host’s reaction: *Click!*
After the host initially hung up on Andrew, he later called back and insisted that the camera in the living room was the only one in the house.
We didn’t feel relieved by that.
She said that the host refused to say whether he was recording the livestream or capturing audio.
Know thine own policy, Airbnb
Undisclosed electronic surveillance is verboten per Airbnb rules. It’s also completely verboten in “private” spaces, such as bedrooms and bathrooms, even if a host does disclose it.
But in this case, Airbnb seems to have developed amnesia about its own rules. After the family packed up and moved into a hotel, the rental company continued to treat it as if it were nothing more than a cancelled booking. Then, Airbnb’s trust and safety team promised to conduct an investigation, and it temporarily suspended the listing.
The Barkers didn’t hear back from Airbnb until Nealie reached out to the company, at which point they told her that the host had been “exonerated” and his listing had been reinstated. Nealie said that the “investigation” didn’t include any follow-up with the Barkers; nor did Airbnb provide an explanation for its decision, which it made in spite of the Barkers having presented photos and stills from the video feed.
As Nealie tells it in her Facebook post, it took 33 days and 10 more unsuspecting guests staying in the property (she knows because at least some of those guests contacted her, she says) before Airbnb told her, on 5 April, that it had removed the listing and the host.
In fact, Airbnb didn’t take action to permanently ban the host until after Nealie posted about the incident on Facebook and local New Zealand news stations reported about her family’s experience.
Airbnb provided this “oops!” statement to CNN:
The safety and privacy of our community – both online and offline – is our priority. Airbnb policies strictly prohibit hidden cameras in listings and we take reports of any violations extremely seriously. We have permanently removed this bad actor from our platform.
Our original handling of this incident did not meet the high standards we set for ourselves, and we have apologized to the family and fully refunded their stay. There have been over half a billion guest arrivals in Airbnb listings to date and negative incidents are incredibly rare.
Been there, been spied on
One can be forgiven if one takes Airbnb’s assurance with a grain, or perhaps a pound, of salt. These incidents may be rare, but they probably don’t feel that way to all the people who’ve experienced the beady eyes of creep cams trained on them. Like these people, or this guy, or this guy.
It’s not just Airbnb
But don’t let this incident scare you away from Airbnbs. At least, don’t let it scare you away from just Airbnbs. According to CNN, the Barkers said that their experience shows what can happen when you book “unregulated” accommodations in the “so-called sharing economy.”
Well, sure, but it’s also what can happen when you book accommodations in purportedly more tightly regulated lodgings. Like, say, motels in Seoul: last month, police arrested two people for setting up spycams to secretly film about 1,600 motel guests over the previous year, while the Seoul Metropolitan Police Agency’s cyber investigation unit also booked two people for selling the videos – as in, they had a paying audience of peeping Toms.
Back in 2008, a hotel owner likewise got busted for setting up live feeds to record people having sex.
This is nothing new: spycams have been set up in Airbnbs, motels or hotels for a long time… probably as long as webcams have been around, one would imagine, bringing with them the convenience of creepsters being able to record people while they themselves are safely off-site (or at least they think they’re hidden away …until police get complaints and track them down, that is). So much more convenient than having to crouch over a peephole at exactly the right time when guests are doing something interesting, eh?
Of course, even if we never step foot in a hotel or motel or Airbnb, we’re all potential stars in somebody else’s peep show, thanks to all the hacked babycams, hacked Nest cams, and sites that stream feeds from IP cameras in nurseries, changing rooms, locker rooms, and schools.
So how do you keep yourself from being cast in CreepTV? We can turn to Andrew Barker for advice on that. He should know!
How to Nmap your digs
Following his family’s ordeal in Ireland, Andrew was kind enough to write this blog post about increasing your chances of finding a hidden camera.
He explains how to thoroughly vet an Airbnb listing to see if it mentions cameras anywhere. There’s no specific field for disclosing it, he noted, so you have to comb through the listing to see if a camera is mentioned anywhere. Alternatively, if a camera shows up in any of the listing’s photos, then Airbnb considers that ample notification. If a listing makes no mention of a cam, nor includes any photo of one, then it hasn’t been disclosed, and you can get a host in hot water if you find one on the premises.
How do you spot one? We’ve given instructions before on how to find hidden cameras both the analog way – for example, a webcam needs to see you, and the line of sight means that you can see it – and the digital way, by using tools such as the Nmap network scanner.
Andrew Barker also gives digital and analog webcam-hunting instructions, but as he points out, the network scan approach isn’t failsafe. He actually got lucky, he says:
We got lucky (if you can say that), the host had the hidden camera on the same network as the wifi that he allowed us access to and the stream was not protected (required authentication to access).
If a camera is hidden well and is not on the network (i.e. records to an internal memory card) or is on a network that you don’t have access to it may be very difficult to identify.
What to do if you detect an undisclosed camera
- Take photos of the device for evidence.
- Take photos of your accommodation so you can prove that you haven’t trashed the place: some hosts have reportedly made such false accusations.
- Get your clothes on and get out of there.
- Report it to police. You want to stop that stream before other people get swept up in it.
- If you’re in an Airbnb rental, report it to Airbnb, along with your evidence, before it happens to another victim.
Source : Naked Security