Poor security around CCTV cameras came back to bite four schools in the UK recently after cyber criminals hacked into their CCTV systems and broadcast feeds on a US website for all to see.
Cyber criminals were also able to hack into and take control over hundreds of CCTV cameras across the UK before broadcasting live feed on the said website.
Feeds from the affected schools, which included St Mary’s Catholic Academy and Highfield Leadership Academy in Blackpool, contained live footage of playgrounds, corridors, restrooms, and other areas both inside and outside the school buildings.
According to the Daily Mail which broke the news, cyber criminals had gained access to ‘at least four British schools’, thereby implying that there could be more such schools whose CCTV cameras were breached. While news agencies have rightly refused to disclose the website’s name, anyone with the knowledge of the website would be able to view live feeds at all times.
Criminals behind the operation also managed to hack into CCTV systems at ‘hundreds of public spaces, businesses and private homes’ as such systems were not protected by passwords, the Daily Mail added. However, both St Mary’s Catholic Academy and Highfield Leadership Academy have strengthened their passwords and removed cameras from their premises to protect the privacy of pupils, teachers, and other employees.
‘As soon as our systems were alerted, the camera feed was immediately taken offline and our technology experts were on site to investigate the breach and to determine the cause,’ said Jeremy Hartley at Eric Wright Group, the firm responsible for installing and running CCTV cameras at both schools.
Following the revelation, the Information Commissioner’s Office swung into action and ordered an investigation into the breach which may have affected more private homes, businesses, and schools that initially believed.
‘The ICO advises anybody who purchases an internet-connected device which has the capability to stream live video to immediately change passwords and usernames from default settings and to set a strong password,’ said a spokesperson for the ICO.
The fact that poorly-secured CCTV cameras are a threat to the privacy of the general public was known ever since such devices were introduced for personal and commercial use. Back in 2014, hackers broke into security cameras using default login credentials and posted live footage of the people filmed from these devices on a website based in Russia.
The following year, cyber security solutions provider Imperva Incapsula found that compromised CCTV cameras were used by hackers to launch hundreds of thousands of DDoS attacks. The firm reported that with over 245 million professionally-installed CCTV cameras worldwide in 2014, plus an unspecified number installed by unqualified parties and a lack of awareness regarding how to protect IoT devices, many of them were “just waiting to be compromised by any half-competent hacker”.