Last Friday, the media featured a dramatic news item. It was reported that the Israel Defense Forces had contacted Israelis living in communities near the border with the Gaza Strip to ask them to unplug any webcams that they had.
The reason: concern that hackers from Hamas would be able to view their video feeds and even take control of the cameras and turn them into cyberweaponry.
LISTEN: Israel’s goalless war on Gaza and what John Oliver got right
It sounds scary, but what was really going on here?
Haaretz contacted the IDF Spokesperson's Unit to ask. They responded that "several days ago, IDF commanders made a recommendation, at the direction of security officials, to temporarily turn off security cameras." Officials made clear that the directive was for the communities as a whole and not individual residents.
Even if it turns out that the initial scare was a bit excessive, the truth is that the recommendation itself is not unfounded. It's not a bad idea to protect such cameras, because some of them - especially in Israel - are totally exposed and really can be used by criminals as well as those engaged in hostile cyber attacks. If you want to see the world through the eyes of a cyberattacker, you're invited to enter websites that feature webcams and online security cameras: Sites such as www.insecam.org provide access to web cameras that are open to access to the public.
Anyone visiting these websites can see a range of live broadcasts from cameras in Israel and abroad. Since these are cameras that in any event are not protected by cyberdefenses, in many instances, not only hackers view their feed, but also take control of the cameras and cause serious damage and a range of other harm without any technical know-how.
People who do have a technical background and wish to conduct a more sophisticated search, wouldn't use such a website. Instead, they could use the excellent www.shodan.io/ site, a search engine for web-connected devices. It has a number of filters capable of homing in on webcams.
- Drones to help Israel track protests, damage from Gaza rockets
- ‘Abandon Israel’: Network of fake accounts tries to demoralize Israelis during Gaza war
- ‘It fell off the truck’: Encrypted message app Signal gets revenge on Israel’s Cellebrite
How does this happen?
Security cameras that are connected to the internet are designed to enable us to see what is happening at a specific location at any given moment, whether we're at work or elsewhere. And sometimes, it's not connected to your own personal web camera but rather to security cameras that a number of people have access to, for example a CCTV camera in an apartment building.
That's why a number of webcams are subject to an online management interface – which is essentially a kind of server connected to the internet. If you have a security camera in a building, business or even a private home and to access the camera or to control it remotely, you need to go to an IP address such as http://18.104.22.168, then your camera is connected to the internet.
This address is not confidential and search engines can find it. That's precisely what search engines such as shodan.io or www.insecam.org do.
Cyberattackers can also hack in through a somewhat more sophisticated manner and take control of the camera's operating system and use it for various purposes, such as an attack that would appear to be coming from your own IP address, using a server with illegal materials or other uses. That's why you need to protect your cameras.
How do you protect an online camera? First of all, don't connect it to an outside network. The best way to secure a camera is to install it on an internal network that requires that anyone who wishes to access it to use your VPN, your virtual private network, to enter the system.
It's true that for most people, that would be a complicated process, so the least that should be done is to pay close attention to security by using a username and difficult password to identify. This change is made through the camera's web management interface and the step is highly recommended. If the password on your model of camera cannot be changed, return it to the retailer.
In addition, it's worth verifying that the camera's system is updated on a regular basis.
If your purchase is of a camera from a manufacturer that doesn't bother updating its software (and there are some who don't), return the camera to the store. If you're installing a security camera, it's recommended to look into this in advance with the person installing it to make sure that it has its own username and password rather than one set by the manufacturer.