We can't easily shut down Russian webcam hackers, admits Information Commissioner

A Russian website streaming images from private webcams installed in hundreds of British homes and businesses cannot be quickly shut down, the head of the data privacy watchdog has admitted.

The acknowledgment from Information Commissioner Christopher Graham that his powers to target the Moscow-based site are limited was made as it emerged that the same web address links to other hacked cameras where the direction and focus of the device could also be controlled remotely.

The website, whose address is not being disclosed by The Independent, had 584 feeds from premises in Britain showing children’s bedrooms, kitchens and lounges as well as garages and business premises, including a Post Office.

Those behind the voyeuristic operation said they had accessed the cameras and other web-connected video devices such as baby monitors using default passwords and logins which had not been changed by their owners, saying they were seeking to “show the importance of the security settings”.

The site has continued to transmit images of cots and bedrooms in which children could be seen as well as pictures of elderly people at home. One showed a Manchester gym while another had footage from a beauty parlour in Wembley, north west London.

The inclusion by the site, which has been in operation for about a month, of the apparent postcode and latitude and longitude coordinates of each camera has raised concerns that the information could be used by criminals to locate and target vacant or empty homes shown online.

open image in gallery

As well as featuring hundreds of British cameras without the knowledge of their owners, the site offered feeds from 10,000 others around the world, including nearly 4,600 in the United States and more than 2,000 in France.

The Information Commissioner’s Office (ICO) said it was seeking to contact its Russian counterparts to begin the process of removing the site as well as working with other foreign agencies including the US Federal Trade Commission, because the site’s Australian or Cypriot domain name had been bought via an American company.

Advising all camera owners to take the immediate step of changing their default passwords, Mr Graham said: “It may take longer to get the site taken down. It is not within my jurisdiction, it is not within the European Union; it is Russia. I will do what I can but don’t wait for me to have sorted this out. The action is in your own hands if you have one of these pieces of kit.”

The website, which accesses the live feeds of cameras used by owners to remotely monitor their properties, insisted its actions were “fully legal”. It said: “This site has been designed in order to show the importance of the security settings. To remove your public camera from this site and make it private the only thing you need to do is to change your camera default password.”

open image in gallery

The ICO said last night that if the site had been based in Britain it would appear to have broken at least two laws, including the Data Protection Act, by illegally accessing private information.

Originally based in Moldova, the site recently changed its location to a web address in Moscow and uses a domain name linked to Australia or Cyprus.

As well as offering unfettered access to still images and live footage from cameras, the site also effectively provides a “how to” guide for finding and accessing other cameras.

It provides a link to another site showing how to find obscure web addresses for cameras as well as advising the default passwords used by manufacturers are widely available on the internet.

Other links on the site lead to cameras in business and domestic premises that also appeared to offer the ability to control the direction, angle and microphones of the devices.

Cyber security experts warned that the webcams were part of a wider problem with users failing to recognise the vulnerability of the vast amounts of information their digital devices collect.

Maxim Weinstein, security adviser to Sophos, said: “Every internet-connected device - be it a smartphone, tablet, laptop, webcam, or thermostat - is essentially a monitoring device. They know where you are, what you’re doing and in many cases they can see and hear you. There’s always the risk that a criminal will hijack your ‘connected devices’.”

From a camera in Birmingham gazing down on two unmade children’s beds, to another watching over a sports car in a Home Counties garage, the 584 feeds from British webcams offer footage that few - if any - would want to make public.

Many of the images available on the Russian-based website are anodyne scenes of daily life: empty pubs, chaotic garages, pets in their baskets and, in one case, a church porch.

But carelessness with default passwords on devices whose selling point is the hi-tech ability for owners to view footage of home or a workplace wherever they are has made available to all material that could only ever be private.

Images of baby’s cots or children’s bedrooms were available from Guildford, Bedford, Hemel Hempstead, Leeds, London and Reading.

A elderly woman could be seen sitting in her Wakefield home, while in Woking a small boy was to be found watching television from a camera placed in the corner of a sitting room.

Elsewhere there was a feed from behind the counter of a Hampshire Post Office. The letters piling up on one domestic doormat - suggesting the owners were away - offered a potential target to burglars.

Some subjects were more esoteric. A farmer in Woking had focused a camera on their cows, while one Crawley resident was beaming footage of a fish tank.