Cybersecurity expert explains how to protect your security cameras from hackers

Mothership Explains: Last week, footage from security cameras in homes in Singapore was leaked and sold online. In the face of such serious infringements on privacy, here's what you can do to protect yourself.

Jane Zhang | Andrew Koay | October 18, 2020, 07:06 PM

Recently, we learned that security cameras used in Singapore homes were reportedly hacked, and footage was uploaded online.

The hacked footage, some of which ended up on pornographic sites, showed scenes of people in compromising positions, such as having sex, changing, using the bathroom, and lounging in the supposed privacy of their homes.

The New Paper reported that a group dedicated to hacking IP cameras, which supposedly has almost 1,000 members worldwide, was behind the hacks.

As our world continues to become more technologically-connected, security cameras are supposed to keep us more safe and secure.

But when they are used against us, what can we as individuals do?

Mothership spoke to a cybersecurity expert who had some advice on how regular folks can better protect themselves.

Matthias Yeo is the Chief Operating Officer of Momentum Z, a cybersecurity & consulting, advisory and technologies services organisation headquartered in Singapore.

Here's what he shared with us.

1. Consider disconnecting your camera from the internet

Yeo himself doesn't keep any security cameras in his house: "You know me, right. IT security people are very skeptical by nature, so I don't have anything. But I can understand why people have it."

He acknowledges that some homeowners install security cameras to keep an eye on what goes on in their houses; such users might want to be able to go back and view the footage if anything happens.

If that's the purpose, then he suggests that people buy cameras that are not linked to the internet, as they can review the footage offline.

But Yeo also recognises that some users want to access their camera's surveillance feed at any time — for instance, to check on an elderly parent at home.

In that case, then, manufacturers need to do their due diligence in order to make sure the cameras are secure.

And some manufacturers are indeed now placing higher value on security because of the danger cameras can pose, if they are hacked.

2. Do your homework before buying

First, Yeo suggests, "You need to do your homework first, lah, before you buy."

Most cameras, as well as other devices that connect to the internet and other devices — known as the Internet of Things (IoT) — are built for convenience.

Which is why, Yeo explains, most manufacturers will prioritise function above security.

He points out the irony of the situation: that people tend to buy cameras to keep their houses secure, but don't pay attention to the technical security of their cameras.

This is why it is important to do your due diligence by reading up on the model of camera you're looking to buy, especially other users' reviews on forums.

Sometimes, he explains, people will post the steps for exploiting publicly-exposed vulnerabilities online.

"Try it!" advises Yeo, for those who already have security cameras. "If you can access, you are in grave danger. Please make sure that you remove the camera or you change the password."

Another option is to check the dark web — a layer of the internet that isn't accessible through regular browsing — as the information available through online searches is only the tip of the iceberg.

"We have a saying, that only 10 per cent of things are in the 'open web'. But in the dark web, that's where all the 90 per cent of things are happening."

However, Yeo warns, people must be careful on the dark web, as hackers might be able to counter-hack them.

This is where people like Yeo and his colleagues at Momentum Z come in.

As experienced professionals, they can help their clients check the dark web to see whether vulnerabilities exist for the camera in question.

3. What to keep in mind when buying a camera

Price

When deciding on a camera, does price matter?

That's a complex question, Yeo says.

A high price doesn't equate invulnerability, he explains. The high price of a camera doesn't mean that it cannot be hacked.

But at the same time, he says, a very cheap camera could raise red flags:

"Why are some things so cheap? Who is paying the costs? What costs are you paying at the end of the day — is it money, or is it security?"

Brand

So is buying from a large, reputable brand more reliable?

On one hand, as popular brands have more users, big names tend to be a bigger target for hackers.

Because of this, though, larger brands tend to add more security features, in order to strengthen their protection from the increased attention from hackers.

There's also the fact that they have reputations to uphold, and would need to invest more in security.

"So, I would say that, if I were to buy cameras for my home, I would buy from the bigger names," says Yeo.

4. Check if your camera has an admin password — and change it

How do hackers hack into cameras?

"When you have a WiFi camera at home, how do you access it remotely?", Yeo asks. The answer is via an Internet Protocol, or IP.

"So, IP is like a home address for you. It's like, if you stay in Bedok — that is your IP," says Yeo.

He explains:

"Unfortunately, because you need to have IP to connect, that IP also connects to you. So if you want to connect to your home camera, you'll connect to your home IP."

Therefore, he explains, the risk of exposure lies in the IP. If your camera is password-protected, anyone with your IP and password can access whatever you can access.

Once hackers find an IP address, the first thing they can do is to check whether there is a default administrator (or, admin) password, as this is an easy way to hack.

Many customers who buy cameras aren't even aware that there is an admin password, so they often go unchanged.

Default admin passwords are meant for situations where the customer needs support from the manufacturer, who uses this password to access the system and do maintenance work.

However, admin passwords also serve as backdoors, Yeo warns, as these passwords may be shared online — either on the regular internet or the dark web.

Change the admin password

Therefore, another way to better protect yourself after buying the camera is to make sure to change the default admin password.

"Don't take the password that the vendor gives you and think that is quite secure. Please don't do that!" Yeo says, laughing.

It's also a good idea to keep changing the password regularly, for extra security.

"The problem is that our world is interconnected. I can guarantee you, right, your email password of Yahoo, Gmail, and even something else is all the same.

So sometimes, compromising one thing allows you to be exposed in other things."

These passwords aren't hard for hackers to get, because if one website gets breached, then the same password used for other sites has also been exposed.

Thus, changing your password regularly is a good idea.

"Of course, make sure you change to a password you remember, or else after a while you lock yourself out," Yeo remarks.

Use a password manager

One way to develop strong and secure passwords without dealing with the hassle of remembering them is to use a password manager.

A password manager generates strong passwords for different sites, and you don't need to memorise them because the manager stores them in a secure, encrypted place.

After logging into the password manager, the manager logs into other sites for you, Yeo explains.

While this means then that your only point of vulnerability is your password manager, the probability of having it compromised is much lower.

"So it doesn't mean that there is no risk, but it's less of a risk than if you use the same password across the board."

5. Stay educated about cybersecurity

As the world continues to become even more technologically-connected, how can we protect ourselves from the seemingly ever-looming danger of hackers?

"I think as we come into this technological era, we must take a personal interest in at least the basic and fundamental aspects of cybersecurity," says Yeo.

There are a variety of resources and courses in Singapore available to those interested in learning more about cybersecurity, through entities such as NTUC, Singapore Polytechnic, the National University of Singapore, and the Singapore University of Social Sciences.

Yeo stresses the importance of staying safe in the technologically-connected world we live in:

"So I see [cyber]security today as physical security.

It's not the policemen or the vendors that can help to protect from the hackers. Yes, they do certain things, but we must be educated ourselves also."

Hear more from Yeo on this week's podcast:


Mothership Explains is a series where we dig deep into the important, interesting, and confusing going-ons in our world and try to, well, explain them.

This series aims to provide in-depth, easy-to-understand explanations to keep our readers up to date on not just what is going on in the world, but also the "why's".


Top photo via Getty Images / Witthaya Prasongsin.