Information Security, Top News

Insecure CCTV feeds of kids at school are being streamed live online

Live video feeds from UK schools are being streamed by a website that collects them from cameras that aren’t properly protected with passwords.

That is, feeds of restrooms, playgrounds and corridors, both inside and outside the buildings, that show school kids as young as infants, teachers, parents and cleaning staff – all freely available to any creep or crook who likes that kind of thing.

The Daily Mail picked up on the site’s antics, reporting on Sunday that it was seeing live feeds from security cameras in “at least” four British schools.

The publication didn’t mention the name of the site. But it did report that the site boasted this:

Watch live surveillance cameras in the UK

…a search term that points to a site found to be doing the exact same thing in the past. In 2014, reporters at the Daily Mail found that a similar site was streaming feeds from IP cameras in the UK that showed lots more besides schoolkids, including:

  • Babies in cots
  • A schoolboy playing on his computer at home in North London
  • Another boy asleep in bed
  • The inside of a Surrey vicar’s church changing room
  • An elderly woman relaxing in an armchair
  • Two men in a kitchen sharing a meal

I checked in on that company to find out if it’s responsible for the material the Daily Mail found this time around, which included:

  • Footage from a CCTV camera installed in a toilet at Summerhill School in Kingswinford, West Midlands. Last year, after parents found out about the cameras, they called the surveillance “intrusive” and “creepy,” reporting that some kids were refusing to use the toilets. Terrible for the bladder, but still, smart kids! In November, the BBC reported that school administrators had claimed that “no cameras are directed towards sensitive areas including cubicles or urinals”. However, one of the stills shown in the Daily Mail’s recent report comes from a camera squarely pointed at a pair of urinals at Summerhill.
  • Seven CCTV cameras being live streamed from Highfield Leadership Academy in Blackpool, whose student body includes 1,130 pupils aged between 11 and 16.
  • Infant school children leaving their classrooms and being picked up by parents at St Mary’s Catholic Academy in Blackpool, which has 1,188 students enrolled.

The site the Daily Mail reported on in 2014 still calls itself the world’s biggest directory of online surveillance security cameras: one that lets you pick a country from which to watch “live street, traffic, parking, office, road, beach, earth online webcams,” all live, all available online because they aren’t secured with a password.

But the site also assures visitors that it’s now only offering feeds from “filtered cameras,” whatever that means. At any rate, the site says that at this point, “none of the cameras … invade anybody’s private life” and that if any “private or unethical camera” is found, it “will be removed immediately upon email complaint.”

Mind you, we have no clue if this is the same site. I asked, and I’ll update the story if I hear back.

In the meantime, the Daily Mail reports that staffers at St Mary’s and Highfield “strengthened” their passwords, “thereby removing cameras from the site.” Likewise, Jeremy Hartley, of the Eric Wright Group, which runs CCTV systems at two of the schools, said that the camera feeds were “immediately” taken offline and that technology experts are investigating the breach and the cause.

The site is reportedly in the US. It’s denied wrongdoing, saying that cameras simply need more security. The UK’s Information Commissioner’s Office has launched an investigation.

Is it a privacy breach, when someone isn’t using a password on their IP camera, or they don’t change the default password it shipped with?

Absolutely. Back in the 2014 incident, Jay Leiderman, a US lawyer with experience in computer intrusion cases, said that streaming private video streams is flagrantly breaking US law:

It is a stunningly clear violation of the Computer Fraud and Abuse Act (CFAA).

Even if you use that withered old prune “password” as a password, it’s still illegal for somebody to access your device unless they’ve been authorized to do so. As these type of sites are happy to point out, it doesn’t require “hacking” to find unsecured video feeds online. The FAQ for one of them even provides links to tools that do the searching for you.

But please don’t. The people being spied on aren’t guilty of whatever lax security in the internet-enabled cameras allowed their privacy to be invaded.

Yes, people with IP cameras can change their default passwords, and they absolutely should. But in many cases, these cameras are installed by third parties who should do so but don’t. That’s no good reason to invade the homes – or schools – of their hapless clients.

Whether the cameras are in locker rooms, nurseries, people’s homes, or trained on our kids, if somebody else has installed a camera for you or for any of your colleagues, friends or family, please do grill the installer for details on what type of password the device shipped with: whether it was unique to the device (preferable) or required a password change upon installation (ditto) or whether it had a default password that needs changing.

If it does have a default password, please change it to something unique and hefty! If it has no password at all? Ditto!


Source : Naked Security

Previous ArticleNext Article
Founder and Editor-in-Chief of 'Professional Hackers India'. Technology Evangelist, Security Analyst, Cyber Security Expert, PHP Developer and Part time hacker.

Send this to a friend