[ βͺβͺβͺ ] -[ Makda ] Let's talk about
who's watching you. High-tech break and enter. -Attention, Johanna and Peter,
your home is being attacked. -[ Makda ] What you need to
know to beat the bad guys. This is your Marketplace. [ βͺβͺβͺ ] -[ Makda ] we are travelling to
a small town in southern Ontario to deliver
some disturbing news. -[ Makda ] A family who lives
here is being watched by the whole world, and
they don't know it. Here they are
renovating their front porch. And here again, sharing more
intimate moments on the back deck, captured by their
own security cameras, and broadcast over the
Internet for all to see. Anyone can keep an eye on
their comings and goings. That's how we've
tracked them down, through their license plate. You can even watch
on their cameras, as we arrive to alert
them to what we've found. -Hi.
-Hello. -How are you?
-Good, thanks. Good, are
you the homeowner? -I am. -My name is Makda. I'm with the CBC.
-Mmm-hmm. We're kind of here
for a strange reason. It has to do with
your security cameras. -Okay. -[ Makda ] I don't know
if you realize this, but those cameras are actually
broadcasting on the Internet. -Really? -[ Makda ] Yeah.
So-- How would you know? That's what brought
us here, actually. We wanna show you what we found. Really? Yeah, we can show
you what's happening right now. -Wow. Okay. -[ Makda ] You see
that right there? -And you can just get that? -[ Makda ] That's right, yeah. This is what's
going on right now. What do you think about that? I don't like that at all. -[ Makda ] You had no idea
that this was possible? -No. -[ Makda ] How long have
you had those cameras up? -Six months, maybe.
--Six months. -Yeah.
-Where did you get them? Through Amazon. I ordered them, just online. They were just a
plug-and-play system, so it was easy, no wires. Everything was wireless
through your Internet. I didn't realize that anyone
could have access to that. -[ Makda ] In truth, everyone
can have access to that. On this website, that searches
out and shows security cameras, that are using
default password settings. Toronto, Chatham, Medicine
Hat, we've got a house here in Mississauga. Over here we have
one in Vancouver. There are tens of
thousands of them, streaming from across
Canada and around the world. And people don't know that
these cameras can be accessed by anybody. The website says its just trying
to expose security issues. But these homeowners are
the ones being exposed. Look at this. They're putting
together a puzzle. I can almost see-- [ Gasps ] Wow. Clothes on the chair. Wait a second. Oh, my gosh, I can see her. [ βͺβͺβͺ ] -[ Makda ] Over the next several
weeks we try to figure out where exactly these people live,
so we can warn them. And as we search for clues, we
find more private moments... By the pool, in the kitchen,
even upstairs near their bedrooms--moments not
meant for public viewing. And then one day... So, we've been looking for
clues and today we got a hit. See this right here? This is the first time that
we've been able to make out a license plate. By searching the license
plate and various websites, we narrow it down to an address. But is it the right one? There's a pole here. You can see a light pole. Let's go back to the video. You can see this here. Which seems to match the
Google Maps Street view of this address. We're going to their house and
we're going to tell them what we've been seeing and
what other people can see. We're heading down the
highway, days later, when we think someone's home. And once again, our arrival
is being broadcast over the Internet. Hi. -I'm Makda with the CBC.
-Yes. And the reason why
I'm here, it has to do with your
security cameras. I don't know if
you realize this, but those security cameras
are actually broadcasting on the Internet. -Oh, I didn't know that. -[ Makda ] The homeowner
wants his identity protected, even though his life has already
been watched around the world. We're about to show him how. You can see here
it's a bit of a delay, but then... I'm just going to... -Well, that's no good. See,
that's us right there. Mmm-hmm. -[ Makda ] And these
are your cameras. Did you ever think that
something like this was possible? -No, no. And how long
have you had these cameras? February. Okay, can I ask, why
did you think of getting them, and setting them
up around the home? I have teenage kids and I
wanna see what's going on in my home, especially when
I am away travelling. So, you got them
for the safety of your family? Yeah. And you never
thought something like this, that anybody could just
look into your house? No. -[ Makda ] He struggles to
process the information. Steps he's taken for security
may actually be causing harm. And what exactly
have people seen? -I mean I have a pool, I come
in and out and this and that. If my kids aren't around I don't
need to change or whatever, you know? It's just--
privacy's blown already. I don't know how
you make that right. How are you gonna
have the conversation with your family about this? I'm not sure. Not sure. It's quite
upsetting and disturbing. I'm not gonna lie. That's the privacy of my
home being invaded, right? -[ Makda ] Knowing that these
cameras are playing for anyone to watch, if we figured it out
it doesn't take much for anyone else to figure it out. Well, I'll be disconnecting
them as soon as I go back in. -[ Makda ] So, how did the
privacy of these homeowners get so violated? We do more digging. -We have a delivery. Professional Video Security. -[ Makda ] This camera system
is the same type used by both families. It's sold by a
company called OOSSXX. -Let's get these positioned
so we can spy on you while you work. -[ Makda ] Oh, that
just sounds great. -So, what's this one? This one's the bottom right. -[ Makda ] Set up
is relatively easy. But when it comes to
connecting it to the Internet, the problem becomes clear--the
system does not require you to set a password. The default factory
setting password is empty. This means you do not
need to fill out a password. -[ Makda ] Username, admin. That means once it goes online,
other people could access your cameras too, and
there are no warnings. Okay, that's the problem. We ask OOSSXX why it doesn't
insist on a password like some other companies do. But they wouldn't
answer our questions. [ βͺβͺβͺ ] -[ Makda ] More
smart home secrets. -What was that? -[ Makda ] And testing
some of the top brands. -I kind of like having the
different security cameras so you know what's going on. -[ Makda ] Will this family pass
a home hack attack? Get more Marketplace. Sign up for our
weekly newsletter at cbc.com/marketplace. [ βͺβͺβͺ ] -[ Makda ] This is
your Marketplace. [ βͺβͺβͺ ] -[ Makda ] Across Canada,
homes are being transformed, by so-called smart devices
that promise to make things more convenient, and more secure. It's automated control of
everything from our lights and locks, to our TVs
and temperature. -Alexa, set the
thermostat to 23. -Okay. -Alexa, kitchen light on. -Okay. -[ Makda ] In Canada alone,
more than 100 million of these devices are now
connected to the Internet. But there is a downside. Many people don't know how to
secure their smart devices, allowing hackers and pranksters
to invade their homes, and their privacy. [ Screaming ] -What was that?! [ Screaming ] -[ Makda ] This woman is
terrified by the 21st century version of a crank call. -I can see you. -[ Makda ] Whoever's controlling
her camera can also communicate with her. [ Screaming ] -[ Makda ] Even little
babies fall victim. Traumatized at night by someone,
who's taken control of the baby monitor. The dark side of all this
new technology might not occur to most. -Yeah, that's the indoor. -[ Makda ] Johanna Kenwood and
Peter Yarema think smart devices are both cool and convenient. -I love it. I think it just makes life so
much easier. -[ Makda ] But they're
looking for security, too. -And that's why I kind of
like having the different security cameras, so you know
what's going on. -[ Makda ] So they're careful
to pick top brands that promise security as a priority. Cameras by Nest. And a new lock by
Schlage for the front door. It's connected to a
central hub made by Wink. All of the devices are
controlled by apps on their phones, or by their Amazon
personal assistant. Thermostat is off. Yeah, I wanna
get more of them, just spread them out a little
bit more so I can actually walk through the house and have
all the different ones going. -[ Makda ] But could
devices like these actually make us
more vulnerable? We're about to find out.
-Park right here. -[ Makda ] This van is carrying
three white-hat hackers. Arsenii, Chris, and Michael work
for a company called Scalar. Make sure the
wireless packets-- -[ Makda ] Businesses hire
them to test their security, to find weaknesses
before the bad guys do. Here we go. -[ Makda ] Johanna and Peter
have agreed to let these guys do whatever it takes
to hack their home. Okay. -[ Makda ] It isn't long before
they figure out a key component. -Here we go.
There it is, guys. Nice. -[ Makda ] They crack the
password to the home's Wi-Fi network. -Free Wi-Fi, everyone, now--
-[ Makda ] And then discover it's the same password used by
Peter to control the thermostat. All right, connected! -[ Makda ] But to
get full control, they decide they need
Johanna's password, too. Back at headquarters, they
create a phishing e-mail. It's a fake, designed to
trick Johanna into revealing her password.
Oh, she has opened it. Message has been opened. -[ Makda ] If she clicks
on the link they sent, they'll be able to control just
about every smart device in her house. The waiting game
doesn't last long. Here we go. We've got credentials, awesome! -[ Makda ] And just like that,
they're ready to hack the home. [ βͺβͺβͺ ] You can only see us
when we want you to. -[ Makda ] Don't let
this happen to you. That's pretty terrifying that
they're able to get into so many devices. -[ Makda ] How to fight
back against a home hack. Do you have a story you
want us to investigate? Write to us, at
Marketplace at cbc.ca. -[ Makda ] This is
your Marketplace. [ βͺβͺβͺ ] -[ Makda ] We're inside
a home in Oakville, Ontario, filled
with smart devices. What is it that you
guys like about having these smart devices?
-Convenience. Just some of the simpler
things, your hands are full, you need a light on. I like the security. I like being at work and having
the notifications going off and knowing what's going on at my
house while I'm away from it. -[ Makda ] But outside,
three guys in a van, who have a point to
prove about that security. They're going to try to hack it. Good to go. Let's take a look. Let's see what we have. -[ Makda ] Do you guys
have a favourite device? That's a good question. I'm gonna say it's probably
the inside camera, just so I can see the doggies
and see what's going on. -[ Makda ] Okay,
what's going on? Did you guys see that just now? Attention, Johanna, Peter,
your home is being hacked! Well, that's surprising. -[ Makda ] Did you expect that? No, not the Nest camera,
'cause they usually-- they're supposed to be
the top-of-the-line, most secure out there. -[ Makda ] He just talked
to you through that. I know. -[ Makda ] And did you see
what was going on behind us? Yeah. It's time to turn
up the heat in here. Check your thermostat! Well, our AC's just been
put up to 32 degrees. [ Laughter ] So, it's gonna
get hot in here. -[ Makda ] What do
you think about that? That's pretty terrifying,
that they're able to get into so many devices, especially--
I'd say more so the living room camera, I think. 'Cause that's, you
know, it's our home, it's the inside, we
have a child in here, and to know that
someone can get into it... -[ Makda ] Outside in the
van, they're not done yet. Things are about to get
even more disturbing, as our hackers show some real
damage they can do when they target this personal assistant. Alexa, order a 4K TV. I've added a Samsung 4K
TV to your shopping list. -[ Makda ] Now what if
someone could actually do that? I wonder if they have access
to my full Amazon account, which has my credit
cards, my bankcard. Everything's on there. -[ Makda ] And what if they do? I guess I'm gonna
be really broke soon, owe a lot of money. -[ Makda ] Did you guys-- Wanna see what
we're up to outside? Have a look at
your security camera. -[ Makda ] What's going on? Doesn't wanna load up. Oh, there it goes, offline. -[ Makda ] Your
camera's off-line. Yup, so if I was at work
and someone was coming on the property,
I'd have no idea. You can only see us
when we want you to, and that time is now! -[ Makda ] So, he said you
can only see us when we want you to see us. That's so creepy. -[ Makda ] You said it's creepy. Why? What's that?
-That's our front door lock. That's our front
door lock, yeah. I'd say that one's the more
troubling of any of them. And unlocking. I feel unsecure now. [ Laughter ] Hi, guys. I just let myself in. My name is Arsenni and we've
just compromised your house. -[ Makda ] He just
unlocked your lock. He walked in here. How are you guys
feeling right now? To be honest, a
little terrified. -[ Makda ] Why? I'm gonna say especially
if I'm not around, we do have animals and
we do care about their well-being and, you know, we
don't have the fanciest things, but, you know, you
just feel invaded. It's your stuff. It's your home. -[ Makda ] Arsenni says his team
could have done a lot of damage if they really wanted. Like, you saw us, we could knock off the camera,
come over and opened the door, grab a package or
whatever, and leave. -[ Makda ] What advice
do you have for them? How can they make sure
to secure their devices? Well, for one, change
your passwords. You want to have different
passwords for each one of your online accounts. Make sure you have extra secure
passwords for critical stuff like your e-mail or, say,
Nest camera, because the Nest camera is a real
window into your life, right? It really is. -[ Makda ] Strong
passwords are a must. The longer, the better--
at least 16 characters. In fact, try using
a password phrase, three or four words that
don't mean anything together, but you'll remember. Or use a password
manager that generates and remembers passwords for you. As for the makers
of smart devices... Did someone log in? Is it a suspicious login? Is it not your home IP address? -[ Makda ] Arsenni would
like to see some changes. What can the manufacturers do
to make things more secure? The main things that they
could implement would be use of two-factor
authentication, because, you know, having just a password
as the only thing that protects your smart home is not enough. -[ Makda ] Two-factor, or two-
step authentication is already offered by some companies,
like Apple and Google. When you log into your
account on a new device, they ask for a special code
that they send to your phone, confirmation it's really
you and not someone who stole your password. We ask the makers of Peter
and Johanna's devices about two-step authentication
and why it's not required. Amazon and Nest both say
they have that option and encourage people to use it. Schlage says its locks just
took orders from the Wink hub. And as for Wink, after we
share the results of our investigation, it
announces a big change. Wink is now, "Taking
immediate steps to implement two-factor
authentication." Meantime, our homeowners
are taking steps, too. Those unsecured cameras
were quickly unplugged, and are no longer open
for the world to see. Peter and Johanna say
they've learned a thing or two. How are you guys
feeling about this? You've got these devices because
they were cool and convenient. And they were
supposed to be secure. -[ Makda ] Do you
feel that way still? Not really. -I'd probably take the door
lock off the Wi-Fi and just keep it as a keypad. -[ Makda ] Any other
changes you would make? Definitely passwords. I think that will be the first
thing after you guys leave. Everything's gonna get changed. [ βͺβͺβͺ ] -[ Charlsie ] Undercover
safety spot check. Oh, my gosh.
Oh, my gosh. That baby's like
nine months old! Kids just don't know
that it's not safe. We are seeing injuries that
are occurring at speed and force that we would
not normally see. I asked her to stand up
and that's when we realized that she couldn't stand up. -[ Charlsie ] We visit
trampoline parks across the country, in Ontario,
Alberta, Nova Scotia, and BC. It's an unregulated
industry no one is watching, until now.
Step 1 - Change your default passwords.
This is just poor security practice by companies and camera owners alike. Itβs just like the issue of IP cams and not eye. Yo should always have strong authentication and NEVER have a public ally facing webpage without authentication.
I've read all the comments, but as a n00b, I'm still confused. My set up, and feel free to critique it, is a D-Link DCS-932L connected to my secure wireless network and is in my tool shed, pointed at the doors. It's on the same network I use for all my devices, and I use a custom password created by LastPass. Am I at risk?
And here we go again. Yet another "scared", uninformed internet user alarming the world. See the comment from deiutz1, which is a good option.
BUT WAIT, there's more!
Many of these devices have the following issues:
-- Firmware cannot be updated for security (costly) --Users do not or CANNOT change a password
These issues are well known since at least 2009, and will continue. For example: Netgear (well known company) had a problem with the WPA2 module in one of it's routers.
This is called the "IoT" (Internet of Things).
I guess most people have never seen companies or governments run daily vulnerability scans, and have to have issues.
ALL products, at any time, MAY have these problems.
If you don't want security issues with your (all your home stuff), then STAY OFF THE INTERNET. (air gap the device).
Hereβs the link .. have fun!!