Insecure Surveillance Cameras Provide Dystopian Peep Show

It probably doesn’t surprise you to hear there are tens of thousands of web-connected cameras all over the world that are set to take the default credentials. Actually, there are probably more than that out there, but we can assure you that at least 70,000 or so are only a click away. With this project, [carolinebuttet] proves that it’s quite possible to make art from our rickety, ridiculous surveillance state — and it begins with a peephole perspective.

The peephole in your own front door grants you the inalienable right to police your porch, stoop, or patch of carpet in the apartment building’s hallway while going mostly undetected. In Virtual Peephole, the peephole becomes a voyeuristic virtual view of various corners of the world.

Slide aside the cover, and an LDR connected to an Arduino Micro detects the change in light level. This change makes the Micro send a key press to a Raspberry Pi, which fetches a new camera at random and displays it on a screen inside the box. You can peep a brief demo after the break, followed by a couple of short build/walk-through videos.

If you’re a peephole people watcher, put a camera in there and watch from anywhere.

Via Adafruit

29 thoughts on “Insecure Surveillance Cameras Provide Dystopian Peep Show

  1. I do think that the “surveillance state” and individuals of businesses that don’t understand the importance of setting passwords on their cameras are two very different problems. The former I think is serious, the latter.. well.. think me a bad person if you will but I have very little sympathy for people that do things like this to themselves.

    We live in a technological society. Everyone should feel responsible to become technologically literate. And yet most do not. I think not understanding the basics of how your own stuff works and how to use it safely is like wandering around lost all day because you never bothered to learn where your own home is. Let people take some personal responsibility for their e-gadgets.

    No doubt there are things manufacturers could do to help protect the masses from their own ignorance. I’d rather see lessons learned and the general population begin to place a greater value on being informed.

    1. yeah. I also dream of a white Christmas. if life just would be so simple. the more I learn, the more I know how few things I actually know or understand. We do not live in a technological society: We live in the middle ages with smartphones and drones. I think Randall Munroe hit the nail on the head with this one: https://xkcd.com/1133/
      this is where the average human being actually is now.

      1. You’ve seriously misunderstood the point of that comic. That comic is a perfect example of where the average person who communicates technology needs to be, not where they are now. See the Alda Center for Communicating Science for an example of what that looks like.

        1. I think you’ve seriously misunderstood the purpose of macsimski’s using that comic to demonstrate where people are. The comic shows the average level of understanding of most people, thus the focus on the “ten hundred” most common words. If your average person can understand no more than “this is where the fire come out” then the average person is woefully equipped to understand technology enough to protect themselves. That’s why he also dreams of “a white Christmas.” It’s a pleasant image of an ideal situation which is most likely impossible to realize.

    2. There is no dicotomy such as you suggest.
      The surveilance state is being built by individuals buying security cameras
      and installing them.
      e.g. Amazon Ring
      You pay for the camera and the bandwidth, etc.
      Amazon partners with police (etc.) teaching police social engineering techniques to get access to the video (or just surrendering it when requested), using police as salesmen, etc.
      Amazon stores the video you take, they own the video, can do what they want with it.
      So “your” security camera is part of the surveilance state.
      (Crowdsourcing big brother).
      The more insecure they can make you feel, the more cameras they can sell.

      https://www.eff.org/deeplinks/2019/08/amazons-ring-perfect-storm-privacy-threats

      1. Does Amazon actually own the photos your doorbell camera takes at your behest?

        From the link you posted, Amazon’s answer is, “Ring and its licensees have “an unlimited, irrevocable, fully paid, and royalty-free, perpetual, worldwide right to re-use, distribute store, delete, translate, copy, modify, display, sell, create derivative works,” but I really feel like that wouldn’t hold up in court. The “fully-paid” part is particularly suspect. Can anyone name a single person that has been paid for footage by Ring or Amazon? It is of course in Amazon’s interest to claim they own such rights, but as is often the case with corporate tendencies to lie first, apologize later, or just settle out of court while admitting no wrong-doing, I wouldn’t trust them on that.

        I’ll never buy the damn thing. I’d build my own before doing that, so I’ll never be the one to challenge it, but I’d like to see someone try.

        1. I also don’t do these cloud cameras. Most of them don’t record 24/7 due to bandwidth and storage requirements to send 24/7 footage to the cloud and also because many of them are battery powered. So they only record video when triggered by motion. I’ve got my own RTSP streaming network cameras that record to a local NVR 24/7. I can review footage before motion triggering might have triggered

  2. In the UK at least, I believe this would be illegal(accessing a computer system you are not authorised to).

    Was discussed many years ago when connecting to your neighbours WiFi because devices just looked for the first open access point.

    Real world analogy; You leave the front door to your house unlocked. Does not give authorisation for anyone to enter.

    All that said, it is a cool and clever project and if these cameras are deliberately made public then there is no issue.

      1. Does that matter though?
        At least in the US certainly, and am pretty sure the UK too, “authorization” must be given/revoked by a human.

        That’s why using a default password you know can be illegal, and bypassing all security to a device you own is not.

      2. Good point, but I’ll dispute that by following the previous analogy: Just because you went around trying your house key on all of your neighbors’ front doors, and found a house where your key works, does not mean you are authorized to use it and go in the house.

        Possessing a working key does not indicate authorization. Authorization is authorization. The key/lock concept is simply meant to enforce the concept of “authorized personnel only”.

        If you learned your ex’s password that they use for everything – that doesn’t mean you have the right to log in to their email and ban accounts and social media and cloud storage.

      3. Having the credentials means that you can authenticate, it does not automatically give you any kind of authorization.

        By your logic, if your email and password were to be leaked in a text dump, anyone with that list would be authorized to log in and use your account.

    1. I very much disagree.

      Not with what the law actually is, that would be dumb. The law is what it is, it’s available to read and if you break it they might get you.

      I disagree with the principle behind it and your analogy.

      WiFi devices broadcast radio waves. Unlike a door, you do not enter a WiFi access point, it enters you! Before willfully ignorant people started buying wireless equipment that they do not want to understand it was long accepted by most nations that unencrypted radio broadcasts where perfectly legal to intercept. If you wanted privacy you could either confine your signals to your own home (use wires) or use encryption.

      Actually connecting to an access point is arguably a bit more intrusive than simply monitoring a broadcast. I do think the same principle should apply though. The default setting of most off the shelf hardware is to announce itself to the world. I think operating a device which is constantly broadcasting “look at me, I’m here, use this SSID to connect” should be interpreted as an invitation. The fact that people choose to hook these things up to their networks and supply them with power while making zero effort to actually understand what they are doing is their own problem.

      Also, I did know someone who, back in the earlier days of WiFi set up a router in his attic intentionally as a free connection to all his neighbors. I think he had rate limiting on the internet side so that they couldn’t use all his bandwidth. I know he had a landing page with chat and file sharing, etc… He ended up getting to know more of his neighbors this way!

      Just because we know that a lot of people only leave their devices open because they don’t bother to inform themselves of what that means doesn’t mean one can automatically assume that every open connection was unintentional.

      Or, since everyone like analogies, it isn’t like leaving a door open. It’s like running garden hoses from your own faucet over the fences and into each of your neighbor’s back yards and then whining about it when somebody waters their lawn.

  3. Sure, many of these cameras are left open because the owner doesn’t understand security but I wonder how many do it intentionally. Most of them are in public places or at least accessible from public places. More eyes could make for more security. Well.. they could if the watcher had any way to identify exactly where the place is that they are looking at in order to report an incident to the police. I’d be tempted to add an address to a sign.

    Better yet maybe is just advertising. Sure, stare at my storefront all day. I’ll just make sure I have lots of advertisements in view of the camera!

    Had I a store I’d be tempted to put an open camera with a sign in the front, “you can stare at this front door for free but for only $9.99 I’ll give you the password to the rear camera and you can watch the rats and racoons fight over the dumpster”.

    Yes, I know. It does allow a potential burglar to monitor comings and goings to see when the place is empty. But what kind of business doesn’t put a sign out front with hours anyway? Not one that I go to twice!

  4. The “fully-paid” clause means that you, the camera owner, agree that you have already been fully compensated by Amazon, et al., for their use of your video. If you’ve received zero actual payment then the price Amazon paid you was zero. And you agreed to that the moment you purchased or activated the product or service.

  5. Unfortunately, “illegality” and “prosecutable” are not the same. If I’m in China watching a camera in the UK, I might be committing a civil offense in your country but your laws can’t do anything about it. A toothless law is the same as no law at all, but with more verbiage.

    Separately, in the US and UK, civil cases can end in split liability: e.g., if a pedestrian walks in front of a moving vehicle and the vehicle operator fails to take evasive action, a jury might say that the pedestrian is 70% liable (because they carelessly walked into traffic) and the driver 30% (for failing to avoid collision). Awards and penalties are then so divided.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.