Prison surveillance footage posted on YouTube
By Tomas Foltyn, security writer at ESET
Law enforcement in Thailand is looking into an incident that resulted in the streaming of live surveillance footage from a local prison on YouTube, according to a report by The Bangkok Post
The feed, which gave a glimpse into inmates’ daily lives in crowded cells, contained materials from several locations within the facility. The footage was aired on the video-sharing platform for several hours and was leaked by an as-yet unknown attacker on a YouTube account named ‘Big Brother’s Gaze’ after he compromised, the CCTV system of the Lang Suan prison in the southern part of the country.
The cameras were connected to the internet so that authorized individuals, notably prison and other law-enforcement officials, could keep tabs on the situation in the prison from any smart device. The CCTV system was taken offline in the wake of the incident.
The authorities didn’t say what opened the door to the intrusion, but the attacker himself did give more than a hint: “When installing video surveillance change the standard passwords,” reads a message in the ‘About’ section of the said YouTube channel. According to the Associated Press, the account previously contained footage from security cameras at a Thai company’s office, street views of Salt Lake City, an office in Australia and a café in Amsterdam.
Poor password practices, along with vulnerable embedded firmware and the absence of patches, are just some of the main problems that plague all sorts of internet-connected things, including, somewhat ironically, security cameras.
As one might have expected, this was not the first time that an unauthorized party has remotely tapped into a CCTV feed and streamed it online. For example, in early 2018 live footage from surveillance cameras in four British schools was put online. The incidents were also caused by poor password hygiene.
In another highly publicized case involving CCTV systems, two-thirds of public-space cameras in Washington, DC, were put out of action as part of a ransomware operation in January 2017.