NBC 6 Investigation: Security Cameras Not So Secure

You might call it “creepy-cam.”

A foreign website is offering one-stop access to anyone wanting to peer inside dozens of South Florida homes and businesses, whether bedrooms, driveways, retail counters or anywhere else in the range of security cameras attached to the Internet.

In all, tens of thousands of cameras worldwide are aggregated on the site – which Team 6 Investigators is not going to identify – providing web camera owners with what the site administrator says is a lesson: change your password.

A recent visit to the site turned up images of a doll in a Miami bedroom, a crib cam in Miramar and a woman sitting at her desk in a South Florida office – a veritable World Wide Window into people’s private domains.

While the images vary, they share one bond: a weak password, often the same one that came with the device.

In an email to our sister station, NBC 5 Dallas-Fort Worth, a man answering an email addressed to the website administrator wrote he was doing research “and was shocked by results.” He said his site is designed to “point users into a large security problem: … millions of insecure cameras.”

The security hole is ironic for consumers seeking to enhance their security with cameras, said Alex Rincon, a video surveillance expert with the Zehirut Group. “People want a security system in order to increase their security, but what this is doing is basically the opposite,” Rincon said.

He said owners of surveillance cameras and other devices on wireless networks need to change the default user names and passwords – those that come with the device – to more secure versions.

For instance, many camera systems come with the user name “admin” and password “123456”.

“This is usually what people don’t change,” Rincon said. “They don’t know they have to change it (to a) password that will prevent people from getting inside” their security system.

The Federal Trade Commission gives this advice for choosing a password:

• The longer the password, the tougher it is to crack. Use at least 10 characters; 12 is ideal for most home users.
• Mix letters, numbers, and special characters. Try to be unpredictable – don’t use your name, birthdate, or common words.
• Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts.
• Don’t share passwords on the phone, in texts or by email. Legitimate companies will not send you messages asking for your password. If you get such a message, it’s probably a scam.
• Keep your passwords in a secure place, out of plain sight.