Is your webcam a Trojan Horse for hackers, voyeurs and spies? Hundreds of Hong Kong households seen by strangers online via Shodan search engine

Internet users in Hong Kong, China and elsewhere are at risk of being spied on through unsecured webcams courtesy of a new service being offered by Internet of Things search engine Shodan.

As the world marks Data Privacy Day today, local cyber security experts are warning of unsuspecting users of webcams having their privacy invaded by people finding their cameras listed via a new type of search engine.

The newly added service lets US-based Shodan’s users around the world view screenshots posted on its site of people conducting their daily affairs at home, in the office or any place where unsecured closed-circuit television cameras (CCTV) or external webcams are in place.

A quick search this morning by the South China Morning Post for screenshots originating in Hong Kong turned up 161 results – with most coming from security cameras and webcams in residential homes and offices.

Every screenshot is furnished with an IP address and most pinpoint the device’s location in the city, at least down to the district. A mother carrying her child is captured in one image, and the accompanying information suggests they are located somewhere in the city’s Central district.

Even more disconcertingly, the Post was able to access 50 of the Hong Kong screenshots simply by signing up for the site’s free - not paid - service.

According to US-based technology news site Ars Technica, webcams are vulnerable to prying eyes because there is no password authentication, despite the devices using Real-Time Streaming Protocol (RTSP), which allows for recording, media stream control and even device control.

This will no doubt prey on HongKongers’ growing fears of being hacked or spied on by foreign governments or unknown parties.

Last year, universities in the city were struck by an unprecedented wave of cyber attacks while overall cybersecurity incidents in the territory jumped 43 per cent from 2014.

Meanwhile, an attack on Hong Kong-based educational toy maker VTech left over six million children’s profiles exposed and was billed as the worst cybersecurity breach in the Asia-Pacific region of the year.

Earlier in August, thousands of HongKongers were outed when pro-infidelity dating website Ashley Madison was hacked and the details of around 37 million accounts dumped online.

When reached by the Post, Shodan founder John Matherly said the company aims to provide a “complete view of the internet”, which includes information about control systems, databases and webcams.

While Shodan does allow users to search for webcams, Matherly insists that is not its primary purpose.

“Shodan isn’t a webcam search engine, the same way that Google isn’t a webcam search engine, even though you can find them on there,” he said.

The Swiss national said screenshots from devices like webcams were added to the site “recently” to provide more information about internet devices to users.

Although not listed among Shodan’s primary customers, one of the chief concerns is that the service is open to everyone including hackers, terrorists and anyone with malicious intentions.

Michael Gazeley, a Hong Kong-based cybersecurity expert and managing director of security firm Network Box, warns that the information on Shodan could be exploited for malicious purposes.

Tapping into parents’ fears, he said paedophiles could use the information available to hack devices such as child monitors in a bid to make contact with young kids.

“There are already pretty horrible people who are piggybacking on Shodan to categorise devices for the purposes of contacting children and things like that,” said Gazeley.

“It’s just awful.”

Part of the problem, he said, is that consumers often forego security for convenience.

“Many people don’t worry about security, they don’t think about it,” he said.

“The scary thing is that we’re installing more internet devices into our homes and offices, and yet many users still have usernames and passwords like ‘Admin’ and ‘123456’.”

Shodan also offers information on seemingly innocuous gadgets, for example the IP address and location of an unsecured network printer in a newspaper office.

This means users of the site could use it to locate vulnerable devices, hack into them and have access to previously printed or even classified documents.

According to a report by CNN in 2013, security professionals, academic researchers and even law enforcement agents are the primary users of Shodan. Security professionals reportedly use it to spot unsecured devices and alert device owners - such as corporate clients - about the vulnerabilities.

But Matherly was quoted as saying that individuals with nefarious intentions could use Shodan as a “starting point”.

Cybersecurity experts responded by urging people to secure their personal computers with well-encrypted passwords.

As many unsecured webcams do not offer a password option, Gazeley suggested setting up a managed security service at home. This can close off as many security holes as possible and put firewalls in place to ensure security is not compromised.

But consumers are not alone in shouldering the blame for security lapses in their connected devices.

Gazeley pointed out that companies may also be held remiss for selling devices with usernames or passwords that are hard-coded into the gadget. While this can make life easier for the consumer, it also makes it impossible for them to replace what they have with a more complex password.

“Quite frankly, [some companies] are going to choose the easiest route that will please consumers more,” said Gazeley.

“If you sell a device that is user-friendly, where you plug it in and everything works, customers will be smiling right up until they get hacked, and then it’s a whole different story,” he added.

Bryce Boland, chief technical officer for Asia Pacific at security firm FireEye, also called for manufacturers to step up their device security.

“Manufacturers need to put security at the centre of their development practices, and consumers need to be more conscious of potential risks,” he said, adding that the security situation is likely to get worse before it gets better due to the rapidly multiplying nature of internet-connected devices.

Meanwhile, Hong Kong’s Privacy Commissioner for Personal Data Stephen Wong Kai-yi, who was appointed last summer, told the Post that users who access images and information on Shodan for malicious use would be infringing on the Data Protection Principles set out in Hong Kong’s Personal Data Ordinance.

He gave the example of compiling information to identify individuals who may not wish to be identified, or gathering data without notifying the authorities.

He also shared some general tips on Data Privacy Day via Facebook.

The social network, which has 1.55 billion monthly active users, also urged users to review their privacy settings.

“If you haven’t gone through Facebook’s Privacy Checkup lately (or ever), this is a must-do now,” it said in a mass email.

“Click on the little lock symbol at the upper right hand corner of your Facebook feed. Privacy Checkup should be at the top of the drop down menu, with a little blue dinosaur right next to it,” it said.

“When you click on that, it walks you through the top three tools to manage who sees what via your posts, apps, and profile,” it added.

Even though the services offered by Shodan are not technically illegal, Wong sent out a warning to would-be hackers by saying that anyone who has their data privacy infringed with malicious intent has legal recourse to prosecute those responsible, according to the Ordinance.

Such offences are punishable in Hong Kong by a sentence of up to two years in prison or a maximum fine of HK$50,000 (US$6,420).

For some, these punishments are too light; either way, it pays to be paranoid, experts say.

“Always change the username and password to a complex password when installing any internet-connected devices,” Wong advised.

Other tips include selecting internet-connected devices that support SSL encryption, which establishes an encrypted link between a web server and a browser.

Gazeley favours a managed security service.

“If you can afford to put high-speed, always-on internet into your home, then you can’t afford not to put in security as well,” he said.

“Most people now work both at home and in the office. It’s ridiculous if you have high layers of security in the office, but when you unplug your laptop and take it home, you’d plug it straight into the raw internet,” he said.

“We can’t allow this total lack of security to keep going. It’s ridiculous.”