SAN DIEGO – Thousands of surveillance cameras in homes and businesses are being streamed online for the world to see, including a number in San Diego. And in many cases, it appears the camera’s owner has no idea.
There are cameras in southern California showing the inside of living rooms, kitchens, and at least one bedroom. Others show office spaces, foyers, heavy machinery, or the outside of buildings.
All of the cameras have a security flaw exploited by the website www.insecam.org, which claims it wants to bring attention to the countless cameras around the world that are unsecured. The website insists the cameras aren’t hacked; they simply lack password protection.
There are 20 cameras listed on the site from San Diego, 29 in Los Angeles, and a handful in other southern California cities. They are part of the 1,757 cameras currently streaming live from the United States, the country with the most listed cameras by far. (That said, the total number of viewable cameras in the U.S. appears to have decreased significantly since media reports first surfaced on the website in late October.)
“Websites like this are using an algorithm to crawl out on the internet and find webcams that are not secured. And what not secured means is they may not have a password set,” said Dr. Lance Larson, assistant director of the Graduate Program in Homeland Security at San Diego State University.
Larson said he’s found ten websites so far that are trolling the internet for unsecured cameras.
To be sure, some of the cameras listed on insecam.org are intended to be public, like one inside Nicholson Commons at Point Loma Nazarene University. The university also live-streams this camera on its website. Some of the cameras are also mislabeled. San Diego 6 determined that one camera showing the inside of dog daycare business was actually streaming from Hawaii, not San Diego as the site claimed. In that case the business was also offering the stream publicly on its website.
But Dr. Larson suspects most of the cameras on insecam.org were intended to be private. And not only are these cameras viewable – some can be repositioned remotely by anyone, anywhere. In some cases, a camera can pan or tilt nearly 360 degrees, providing angles the owner of the camera may never have intended.
For example, a camera inside a smog-test business in southern California points at the main entrance. But with a few clicks, the camera can be tilted down to the cash register and credit card machines – providing what could be an advantageous view for a criminal.
“Any camera that’s connected to internet is potentially vulnerable unless we set adequate restrictions and protection,” Dr. Larson said.
Consumers should make sure all of their internet-connected cameras have a password, he said. Larson recommends the password be at least 15 characters in length. He also has a more conventional solution: place tape over a web-enabled camera when it’s not in use.