I feel like in a surveillance project which explores unsecured CCTV cameras, the next logical step is to expose the vulnerabilities of these systems to those who are affected by them. I decided to expose this for a UK office as I felt like it may seem less creepy and weird than possibly telling someone whose home CCTV is unsecured.
Before I actually started the process of exposing this issue, I constructed a short survey which focused on how people felt after looking through someone's unsecured CCTV camera. I asked three short questions:
How do you feel after taking a glimpse into these peoples lives?
Do you think CCTV has become normalised in society?
Would you want to know if your cameras were broadcasting online without your knowledge?
For my research, I designed a poster which showed an image of an unsecured CCTV camera. The poster asked the viewer a question: 'How does this make you feel?' and presented a QR code to the questionnaire which was hosted on a google forums survey. The images below show the poster design.
I used the Reprographics printing facilities available at LCC to print my posters. I then presented my posters on multiple poster boards around the university to ensure lots of people will see then and hopefully answer my survey.
The results
I was most interested in the responses from question three: 'Would you want to know if your cameras were broadcasting online without your knowledge?'. 100% of the responses voted yes, they would want to be notified if their CCTV cameras were not secured.
This is what I wanted to achieve next.
First, I needed to decide how I was going to get in contact with the owners of these systems. Maybe I could send a letter through the post, or send the offices an email, however, this would require trying to find out where these offices are, and possibly what they are called.
I knew this was going to be difficult to find out. I conducted some research on the internet if it would be possible to find out some contact details of this office. I found some websites which aim to find out location details of IP addresses. I used a few of these services and cross-referenced the results. I use the same technique to try and find the location of a house with unsecured cameras, but the results displayed general coordinates. Since the IP address was registered to a business, it was much easier to find:
All results showed the organisation as Onega Ltd. A quick Google search showed that this, in fact, was the correct office as images of their website show the same building features I could see through the live feed.
I find it hilariously ironic how an IT support and services company doesn't have secure CCTV cameras, and that a university student is about to expose that to them. My next steps are to send a letter to this office informing them.
I designed two letters, the one on the left follows a traditional letter design which I believe shows sympathy to their situation. Whereas, the design on the right goes for a in-your-face, how could you let this happen design, which I personally was a big fan of. After some user feedback of the two designs, everyone expressed their dislike to the second design, saying they would be freakout and that there is nothing friendly about it.
Preparing my letter to be mailed.
Their response
Somebody from Onega reached out to me through the email I provided in the letter. It turns out their 'unsecured' CCTV feeds were not actually unsecured. They were intentionally made available for others to view online.
We do this as we’re an IT company of approx. 12 of us, doing good work to support clients. We like to wave to clients and also show who we are and what we do etc.
I find it so fascinating companies such as Onega are changing the use of CCTV. Live streaming, through services such as YouTube and Facebook, is already so common today. However, Onega isn't using these methods. Using a CCTV camera system instead I believe makes the whole experience of the user viewing the feed more accidental rather than intentional.
I think it's important that I try to find another office, business or home I could expose their unsecured CCTV cameras too.
I found another business! I am preparing the letter I will mail them. Let's hope it's not intentional... 🤣
Bibliography list:
GitHub. (2019). woj-ciech/kamerka. Available at: https://github.com/woj-ciech/kamerka (Accessed: 21 October 2019)
Wojciech. (2018). Hunting with ꓘamerka 2.0 aka FIST (Flickr, Instagram, Shodan, Twitter). Available at: https://medium.com/hackernoon/hunting-with-%EA%93%98amerka-2-0-aka-fist-flickr-instagram-shodan-twitter-ca363f12562a (Accessed: 21 October 2019)
Wojciech. (2018). ꓘamerka — Build interactive map of cameras from Shodan. Available at: https://medium.com/@woj_ciech/%EA%93%98amerka-build-interactive-map-of-cameras-from-shodan-a0267849ec0a (Accessed: 21 October 2019)
Reference list:
Cox, J. (2014). This Website Streams Camera Footage from Users Who Didn't Change Their Password. [online] Available at: https://www.vice.com/en_us/article/z4my73/this-website-streams-camera-footage-from-users-who-didnt-change-their-password (Accessed: 21 October 2019)
Cox, J. (2018). This Tool Shows Exposed Cameras Around Your Neighbourhood. Available at: https://www.vice.com/en_us/article/59vm4x/tool-exposed-cameras-map-shodan-python-github (Accessed: 21 October 2019)
IP Location. (2019). IP Location. Available at: https://iplocation.com/ (Accessed: 21 October 2019)
Iplocation.net. (2019). Available at: https://www.iplocation.net/ (Accessed: 21 October 2019)
Textmagic.com. (2019). Free IP Geo-location: Locate IP Addresses & Prevent Fraud. Available at: https://www.textmagic.com/free-tools/ip-address-geo-location-tool (Accessed: 21 October 2019)
whatismyipaddress.com. (2019). IP Address Blacklist Check. Available at: https://whatismyipaddress.com/blacklist-check (Accessed: 21 October 2019)
Comments