◾ „Privacy is not something that I’m merely entitled to, it’s an absolute prerequisite.„ – Marlon Brando
[25.11.2014/22:00 UTC+1 – UPDATE]
Insecam.com now says: „The coordinates of the cameras are approximate„. But that is simply not true.
Despite insecam now only seems to show obvious uncontroversial cams, you are now able to get to the cameras IP-address. I found cameras which I am not sure, if they were intentionally open to take control over (zoom, rotate etc.).
This might lead in some cases to circumstances under which you could manage the camera to look into areas that are not supposed to be streamed. Insecam continues with its explanation: „They point to the ISP (IP) address and not the physical address of the camera. This information is accurate only to a few hundred miles. The coordinates are provided only to locate the city where the camera is located, but not it’s exact position or address.“
Uhm, not sure how much more accurate you could be with having the IP-address which does forward to the cam?!?
Or do I misinterpret this point somehow? Even if you are changing the coordinates generously on insecams geo-map, the IP-address does not lie.
E.g. I found this camera in Liechtenstein: http://www.insecam.cc/cam/view/511xx/
with coordinates (47.141510 | 9.521540) on insecam:
If you click to open the stream, you are directed to the IP which provides the camera and its interface:
Now I decided to look who this might be via his IP-address. I did use iplocation.net to select the best result and opened
the associated Google-Maps-Link:
Looking at the streamed Image I noticed the text „Studio_Decke“ (in the lower left corner), so I did look on Google if
I could find a „Studio“ in the area „Altenbach“.
After a few minutes I got two perfect results. One company has a very similar logo as shown on the streamed front door.
I did sent the company owner an email, and now I am waiting for a response, if it is his cam and if he wanted to stream
his visitors to the world.
Remember what insecam told us? This information is accurate only to a few hundred miles. The coordinates are provided only to locate the city where the camera is located, but not it’s exact position or address.
I don’t only want to criticize his work with insecam.com constantly and I am happy he decided to
take the private streams offline, but the more you look into details, the more questions arise.
I decided not to dig deeper on that insecam thing. It is up to competent authorities to decide what actions are necessary, or not…
The original blogpost (12.11.2014) about identifying the insecam owner is currently protected via password for special access only. Competent authorities were informed to investigate the issue on insecam.com. The site insecam.com and insecam.cc do currently not stream private Webcams anymore, and so my „work“ for the moment seems to be done.
I am sorry for the guy behind insecam.com, that I had to make him public known, but there was no other way
to force his ugly site to be off the web! I can not accept someone does stream kids and private cameras all over the world!
It is NOT a collateral damage to stream private cameras. And it is not right or justifiable to login to cameras which are protected with simple or standard passwords! They ARE protected! No matter if with weak password or not. You do not have the right to log in to this systems and it IS a crime!
If you are a serious IT-Security Researcher you would never try to inform the masses about such kind of problem
by exposing them public! You would rather setup a site which detects only the visitors IP-Address and offer to scan
for weak passwords and a possible open stream (right that is more work than just grab the data from Shodan-API and stream cams & draw the IP-Geolocation!).
The guy behind insecam knows that I got him. And I can only ask him to stand behind his „project“ with his real Name! Because what we are seeing now on the News is a lot of crap about „Russia“ is attacking us, and panic that suggests false things about „evil l33t haxors“ (maybe let us call him the „moldovan programmer looking for a job“)…
He is only making things worse by trying to hide and keep an illusory and mysterious veil of fog on insecams intentions.
The lesson he might have learned: „cover your tracks, before trying to come around the next corner with your pseudo operation you don’t want to be traced back to…“
If you are a journalist or from a law enforcement authority and want to get in contact with
me for details, please do so via Twitter first (@Tactic4l).
The intention behind this article is NOT to start a smear campaign against someone.
I might be totally wrong and I would then apologize. But so far I am trying to find the
bigger context of all of this. Maybe the one person (yes it is a single person as he did let me know) behind insecam had really good intentions. And this assumed I urge you all to not stalk or harass this guy. But we need to find another solution to throw light on such kind of issue as with open cameras (or poor secured ones). I have a lot of respect for the one that started this campaign, but he should have put his name on the site, and explain open to the media what his intention is. He should have created a site which lets you detect if your private camera is streaming to the world….using the front door was not the best option in this case, although it did lead to more excitement! All all at the expense of privacy….
Trying to stay anonymous, with this kind of site he created, is like to challenge the devil…always a bad idea!
You all stay safe & remember to regularly change your (hopefully strong) passwords ;-)
Here some related articles worth to read:
Webcam snooper now looking for a Job (pcworld.com by @Jeremy_Kirk )
Dem Webcam-Spion auf der Spur (NZZ.ch)
Russian webcam hacker uses Insecam site to look for Job (Independent UK)
Programmer behind webcam-snooping Website replaces site with a job ad (Fox News)
Piraten erstatten Anzeige (Tageblatt.lu)
Security Cams in Luxemburg geknackt (Tageblatt.lu)
Office of the Privacy Commissioner of Canada (Letter to operators of webcam website)
Information Commissioner’s Office blog
Office of the Information & Privacy Commissioner of British Columbia
UK moves to shut down Russian hackers streaming live British webcam footage (the Guardian)
This Terrifying Website Lets You Spy on People Through 73,000 Private Security Cameras (Mic.com)
This Website Streams Camera Footage from Users Who Didn’t Change Their Password (Moterhboard)
Thousands Of People Worldwide With Home Security Cameras Are Being Spied On By A Russian Website (Business Insider)