When Fiction Becomes Reality: Cutting Edge Thriller Predicts Webcam Spying Hack
On August 7th, 2014 my debut novel Invasion of Privacy was published. A fiction thriller with a plot centred around webcams being hacked into remotely and, unknown to the webcam owners, their day-to-day lives are streamed live on the web to dramatic ends.
On September 20th, 2014, six weeks later, The Mail on Sunday published an expose of “How ‘home hackers’ spy on you and your children…with YOUR webcam: The shocking evidence that shows how private lives are snooped on and streamed live on web.”
(UPDATED 6th NOVEMBER: An article appears on Network World with more facts and details about the webcam website exposed by The Mail on Sunday: Peeping into 73,000 unsecured security cameras thanks to default passwords)
(UPDATED 19th NOVEMBER: Front page of Daily Mail: Russians spy on UK families via their webcams: Hackers use your computer to watch you at home then post photos online)
(UPDATED 20th NOVEMBER: BBC News on tv and web: Breached webcam and baby monitor site flagged by watchdogs and ZD Net: Got a webcam? You might want to pick a stronger password right about now)
(UPDATED 21st NOVEMBER: The Times: Russian hackers put UK webcam footage live on internet)
What can you see on these webcam sites?
The Mail on Sunday reporters were able to watch footage showing scores of people inside their homes, oblivious to the fact that they were being observed remotely. They even tracked down one travel agent’s office in London and remotely watched their reporter show the manager that his agency was being broadcast live on the internet.
Brody Taylor, the fictional elite hacker protagonist of Invasion of Privacy, does much the same thing. But, the novel being a crime thriller, the locations visited were now murder crime scenes.
The Mail on Sunday goes on to explain, “Many cameras were fixed on babies and small children sleeping in their beds. There was also close-up footage of an elderly lady relaxing in Aberdeen. Another camera in a London home filmed a schoolboy texting on his mobile phone. A man in Crawley was seen on a sofa with a cup of tea, with family photographs on the wall behind him.”
Like any good thriller, Invasion of Privacy takes this (now) real-world scenario to the extreme. A serial killer is one of the many voyeurs addicted to these webcam feeds, fixating on a few young women. By watching and studying, he learns all about his prey and uses this privileged information to lure his chosen victim under false pretences to a location where he brutally rapes and murders them. Fortunately, the Mail on Sunday didn’t have a real world equivalent of this. Let’s hope something like this stays in the world of fiction.
How is it done?
Technologically, the IP cameras exposed by the Mail on Sunday are vulnerable because their owners never changed the default username and password. Hackers were able to remotely scan addresses on the internet until they found an exposed IP camera where they then streamed the results on their own websites for all to see.
There is a similar website described in Invasion of Privacy set up by a computer hacker who has worked out a way to hack into these cameras remotely. His method is deliberately far more complex than simplistic default usernames and passwords trick exposed by The Mail on Sunday. The discovery of the scam and exposure of its underlying technique forms one of the books subplots, so I won’t disclose how it’s done here. But changing usernames and regularly changing passwords wouldn’t have stopped it happening.
But, either way, both the Mail on Sunday’s article and Invasion of Privacy serve as warnings to millions of IP webcam owners.
Am I involved?!!
All of this begs a rather obvious question: as the author of Invasion of Privacy, was I already aware of the scam before its exposure by The Mail on Sunday?
The answer is simple. Yes.
Let me explain.
The History of Warspying
I first had the idea for Invasion of Privacy over ten years ago, long before the modern IP webcams recently exposed by the Mail on Sunday ever existed. Back in 2003, home wifi networks were relatively new and scarce. And, unlike nowadays, many of them were left unencrypted. It led to a practice called WarDriving. The term was adapted from the 80’s movie, War Games, and involved people driving around neighbourhoods with wifi scanners, searching for unencrypted wifi networks. They could then hop onto the wifi network and surf the internet at the expense of the oblivious home owner. It became common practice in urban areas and soon websites were created displaying maps of the locations of all these unsecured wifi networks, the idea being that in-the-know out-of-town visitors could always find a local wifi network and hop on to the internet at someone else’s expense.
At the same time, one of the first generation of internet connected webcams came to market. They were called X10 webcams. They were inherently insecure with no encryption and little security. As they became popular, Wardriving evolved into Warspying, driving around with a video receiver and screen to pick up transmissions from these wireless X10 webcams. Their feeds could then be viewed freely. The only constraint was the need to be within wireless range, up to 50 meters.
The thought of these people driving around towns, stumbling across exposed webcams and secretly watching the unwitting inhabitants was troubling and quite scary. As I read about them, I began imagine what it would be like to be one of the people being watched, especially if you ever found out that your intimate life had been broadcast to all and sundry. And then I asked myself, what if the watcher took it further? And, as you can see, the budding author in me suddenly had the premise for his future novel.
But role forward to 2011 – why it took so many years to finally write it is the subject of another post (short answer is Hamlet’s favourite word: procrastination) – and I finally knuckled down to write what would become Invasion of Privacy. Only there was one major problem. By then, the X10 market had pretty much died and the company behind them went out of business a couple of years later. Other brands of IP webcams existed, but by now they included security options and even encryption. Undeterred, I used my technical background to explore hypothetical ways to make my original premise workable despite the improvements in wireless IP webcam security. Invasion of Privacy was finally completed in February 2014, and published six months later. It is technically accurate in its portrayal of the technological elements of the plot, including the hacking of webcams.
And yet, it turned out that my premise was more accurate than even I had realised: I had never discovered a website that actually streamed webcam feeds from hacked webcams. But it is very real and the Mail of Sunday exposé shows that clearly, with images of babies asleep in cots and old ladies relaxing in day chairs. Their investigation found 60,000 hours of live feed on one website alone. And the big difference from the original warspying technique is that these streams are watchable, via illegal streaming websites, from anywhere in the world. No need to be within 50 metres anymore. Welcome to Warspying 2.0!
In my novel, the bad guys behind the webcam streaming websites are ultimately exposed and the site is shutdown. Unfortunately, in the real world these websites still exist and many thousands of webcam locations are still unwittingly sharing their feeds and being intimately observed by thousands of voyeurs on the web.
As the author of a fictional novel with a rather interesting premise, it is rewarding to see that the real world has finally caught up with my imagination. But at the same time it is absolutely terrifying that the extreme events of Invasion of Privacy could theoretically come to pass. Let’s hope that together, Invasion on Privacy and The Mail on Sunday’s recent article go some way to making IP webcam owners configure their security settings properly and that whatever it is they point their webcams at remains totally private.