Incident: Exposure of Unsecured CCTV Feeds on Insecam.com

Published Date: 2014-11-07

Postmortem Analysis
Timeline 1. The software failure incident of cameras streaming footage from businesses, factories, building sites, and private homes happened in November 2014. [31784]
System 1. Internet protocol cameras (IP cameras) [31784] 2. Lack of password change on cameras from factory settings [31784]
Responsible Organization 1. Owners of the cameras who did not change the factory passwords of their IP cameras [31784] 2. Insecam.com website for streaming footage from cameras with unchanged factory passwords [31784]
Impacted Organization 1. Businesses, factories, building sites, and private homes with CCTV cameras that had not changed their factory passwords [31784] 2. Domino's Pizza restaurants in Queensland, specifically seven locations, where CCTV footage was exposed online [31784]
Software Causes 1. Lack of password changes on IP cameras: The failure incident was caused by the cameras not having their factory passwords changed, making them vulnerable to unauthorized access [31784]. 2. Lack of encryption and strong password protection: The security expert mentioned that without strong password protection and encryption, such exposure of camera footage was inevitable, highlighting a lack of robust security measures [31784].
Non-software Causes 1. Lack of changing factory passwords on cameras: The incident occurred because the cameras were not set up with unique passwords, leaving them vulnerable to unauthorized access [31784].
Impacts 1. The software failure incident led to the exposure of CCTV footage from hundreds of Australian businesses and homes, raising serious privacy concerns [31784]. 2. Owners of the cameras were unaware that their footage was being streamed online for the whole world to see, highlighting a significant breach of security and privacy [31784]. 3. The incident resulted in immediate action being taken by companies like Domino's Pizza to change passwords and shut down live footage to prevent further unauthorized access [31784].
Preventions 1. Changing the factory passwords of the cameras to unique and secure passwords could have prevented the software failure incident [31784]. 2. Implementing strong password protection and encryption for the cameras could have enhanced security and prevented unauthorized access [31784]. 3. Regularly monitoring and auditing the security settings of the cameras to ensure they are not exposed online could have helped prevent the incident [31784].
Fixes 1. Changing the factory passwords of the cameras that are being streamed on the website [31784] 2. Implementing strong password protection and encryption for the cameras to prevent unauthorized access [31784] 3. Conducting regular security audits and checks on the cameras to ensure they are not exposed online [31784]
References 1. James Der Derian, Director of the Centre for International Security Studies at the University of Sydney [31784] 2. Security experts [31784] 3. Daily Mail Australia [31784] 4. Domino's chief operations officer Andrew Megson [31784]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization (a) one_organization: The software failure incident related to the exposure of CCTV footage from cameras with unchanged factory passwords has happened again at Domino's Pizza restaurants in Queensland. The incident involved live footage from seven Domino's Pizza restaurants being viewable online due to the cameras not having their passwords changed from factory settings. Domino's chief operations officer mentioned that immediate action was taken to change the passwords and shut down the live footage [31784]. (b) multiple_organization: There is no specific information in the provided article indicating that a similar software failure incident has happened at other organizations or with their products and services.
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase can be seen in the article where it mentions that the website insecam.com was streaming footage from more than 73,000 cameras worldwide, including 924 Australian feeds, without the owners of the cameras changing the factory passwords. This failure was due to the lack of strong password protection and encryption, making it easy for the cameras' footage to be exposed online [31784]. (b) The software failure incident related to the operation phase is evident in the article when it discusses how the website insecam.com was able to stream footage from CCTV cameras in businesses, factories, building sites, and private homes without the knowledge of the camera owners. This failure occurred due to the operation of the cameras without changing the factory passwords, leading to the footage being available for anyone on the internet to view [31784].
Boundary (Internal/External) within_system (a) within_system: The software failure incident in this case is primarily within the system. The failure occurred due to the cameras' factory passwords not being changed, allowing unauthorized access to the camera feeds. The website insecam.com was able to stream footage from thousands of cameras worldwide, including 924 Australian feeds, because the cameras' passwords were not updated from their factory settings [31784]. This failure to change default passwords within the system led to the exposure of sensitive CCTV footage to the public.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case is primarily due to non-human actions. The incident occurred because the cameras were streaming footage without having their factory passwords changed, leading to unauthorized access to the CCTV feeds [31784]. This failure was not directly caused by human actions but rather by the lack of proper security measures in place. (b) Human actions also played a role in this incident as the owners of the cameras did not change the default passwords, which allowed for the unauthorized access and streaming of the footage. Additionally, the website insecam.com was launched to expose the vulnerability of these cameras, which was a deliberate human action to raise awareness about the security risks associated with not changing default passwords [31784].
Dimension (Hardware/Software) software (a) The software failure incident in this case is not directly related to hardware issues. The incident occurred due to the cameras' factory passwords not being changed, leading to unauthorized access and streaming of footage from various locations [31784]. (b) The software failure incident is primarily related to software issues. The failure stemmed from the lack of password changes on the cameras, allowing the website to stream footage without the knowledge of the camera owners. This highlights a software vulnerability in the camera systems that enabled unauthorized access and viewing of the footage online [31784].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident in this case is malicious in nature. The incident involved a website, insecam.com, streaming footage from over 73,000 cameras worldwide, including 924 CCTV camera streams from Australia, without the knowledge or consent of the camera owners. The cameras were being accessed because their factory passwords had not been changed, indicating a deliberate attempt to exploit security vulnerabilities for unauthorized access to the camera feeds. This malicious act exposed private footage from businesses, building sites, factories, and homes to the public, highlighting the dark side of the internet and the risks associated with inadequate security measures [31784].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident: - The software failure incident of streaming CCTV footage from cameras with unchanged factory passwords on the website insecam.com can be attributed to poor decisions made by the camera owners who did not change the default passwords. This poor decision led to the exposure of private footage to the public [31784].
Capability (Incompetence/Accidental) development_incompetence, accidental (a) The software failure incident related to development incompetence is evident in the article as it mentions that the website insecam.com was streaming footage from more than 73,000 cameras worldwide, including 924 CCTV camera streams across Australia, without the owners of the cameras changing the factory passwords. This lack of changing default passwords can be attributed to a lack of professional competence in ensuring proper security measures ([31784]). (b) The accidental aspect of the software failure incident is highlighted in the article when it mentions that the website insecam.com was running footage from CCTV cameras in seven Domino's Pizza restaurants in Queensland without the knowledge of the owners. This incident led to immediate action being taken by Domino's to change the passwords and shut down the live footage, indicating an accidental exposure of the camera feeds online ([31784]).
Duration permanent (a) The software failure incident in this case seems to be more of a permanent nature. The incident involves a website, insecam.com, streaming footage from thousands of cameras worldwide, including 924 Australian feeds, without the owners' knowledge. The cameras' factory passwords were not changed, leading to unauthorized access to the footage. The exposure of this footage to the public highlights the darker side of the internet and the risks associated with inadequate password protection and encryption [31784]. The incident resulted in immediate action being taken by Domino's Pizza after footage from their stores was found to be viewable online, prompting them to change passwords and shut down the live footage [31784].
Behaviour crash (a) crash: The software failure incident in the articles can be categorized as a crash. The incident involved cameras being streamed on the website insecam.com without their factory passwords changed, leading to the exposure of CCTV footage from various locations such as businesses, factories, building sites, and private homes. This unauthorized streaming of camera feeds can be considered a system crash as it resulted in the system losing control over the security cameras and not performing its intended function of securing the footage [31784].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, non-human, theoretical_consequence (a) unknown (b) unknown (c) unknown (d) Property: The software failure incident led to unauthorized access to CCTV footage from businesses, building sites, factories, and homes, impacting the privacy and security of the owners of the cameras [31784]. (e) unknown (f) Non-human: The software failure incident affected the security cameras themselves, as their footage was being streamed without the owners' knowledge or consent [31784]. (g) unknown (h) Theoretical_consequence: There were discussions about the potential consequences of the software failure incident, such as the exposure of personal information, the need for strong password protection, and the darker side of the internet [31784]. (i) unknown
Domain information (a) The failed system in the reported incident was related to the industry of information production and distribution. The incident involved a website, insecam.com, streaming footage from security cameras located in businesses, factories, building sites, and private homes without the owners' knowledge or consent. The cameras were broadcasting live feeds online, exposing the security vulnerabilities of these systems [31784].

Sources

Back to List