SpiderLabs Blog

Wireless Cameras and Webcams: Are You Being Watched?

Written by | May 27, 2014 2:12:00 PM

Trustwave SpiderLabs recently disclosed vulnerabilities in several models of Y-Cam brand wireless cameras. The most severe of these could allow anyone to access an internet connected camera. Although these vulnerabilities affect only some discontinued Y-cam models, these models were widely sold and inventory is still being sold to consumers.

Over the past several months there has been a growing trend of web camera hacking. Just last week law enforcement agencies arrested nearly 100 people internationally for the illegal use of the Blackshades remote administration tool (RAT). Although it is a typical malicious RAT, Blackshades is popular for being able to control a victim's webcam. A 20-year-old computer science student was sentenced to a year and a half in prison for using Blackshades to spy on and attempt to extort a former Miss Teen USA.

This is hardly the first time webcams have been used to spy on people. Last month an attacker gained access to a family's Foscam brand baby monitor. This individual was able to monitor the baby's nursery and, in this case, scream at their sleeping child.

A vulnerability in multiple Foscam camera models allowed anyone to access the camera even without a proper username and password. Foscam released firmware updates to patch the vulnerability but, unfortunately, your average consumer doesn't even patch their laptop, let alone their wireless camera or baby monitor. To make matters worse, webcams are easily searched for using tools like Shodan. Even Google archives webcams and so-called "Google Dork" search parameters can be used to identify webcams.

In the case of Y-Cam, Trustwave SpiderLabs discovered a vulnerability that allows for administrative authentication bypass. This bypass allows for the viewing of restricted pages on the device, including pages which display information such as administrative username(s) and password(s), internal IP addresses, MAC address of the device, SSID names, encryption keys, recorded video, ftp server IP's, and more in cleartext.*

The following Y-cam models are affected by this vulnerability:

SD range models – YCB003, YCK003, YCW003
S range models – YCB004, YCK004, YCW004
EyeBall - YCEB03
Bullet VGA models – YCBL03, YCBLB3
Bullet HD 720 – YCBLHD5
Y-cam Classic Range – YCB002, YCK002, YCW003
Y-cam Original Range – YCB001, YCW001

More current Y-cam models like the Y-cam Cube, BabyPing Wi-Fi Baby Monitor or Y-cam HomeMonitor are not affected. Affected users are recommended to install a firmware fix as soon as possible. A fix is available directly from Y-cam: http://www.y-cam.com/y-cam-security-fix/

Even cameras without known vulnerabilities are often opened up to the internet without adequate protection. Controls like default passwords are left in place and SSL is often not enabled.

For laptop webcams, users will want to take standard precautions to avoid malware. Keep your antivirus up to date. Avoid clicking on strange links or opening unexpected email attachments. For the paranoid out there, a simple folded post-it note will block the camera from seeing anything when not in use while not leaving a residue on the lens.



Consumers that have wireless security cameras or baby monitors should take extra steps to ensure the security of those devices. Make sure that the passwords on these devices are changed from the default. Set up your wireless network with WPA2 and make sure access to the camera is encrypted with HTTPS. Users should also learn what the update process is for their camera and set a calendar alert every two to three months to check for updates. If the camera allows for automatic updates, make sure this option is enabled.

In the end, no one likes the idea of being spied on without their knowledge. Users of wireless cameras and webcams should understand that these devices, like any computer, could be vulnerable if not locked down.

*At the request of a Y-cam representative, we have updated this paragraph and changed the description of the vulnerability to match the original advisory.