In the famous incident called "The Fappening," hundreds of celebrity nude photos were stolen from iCloud and posted online, resulting in a severe breach of their privacy. Subsequent incidents have demonstrated just how vulnerable we can be when posting photos online, be it on a secure storage service or when sending it via digital means (email, instant messaging applications, etc.). With the rising fear of privacy violation, came greater awareness of the associated risk. People today are more aware and can take precautions with regards to whom they share sensitive images and how they secure them online. The same goes for webcams installed in the home environment – people are aware that these can be hacked into and therefore take precautions when near such devices. But when we’re in a public space, our control over who’s filming us and how they use this information is non-existent.

One of Israel’s famous singers, Eden Ben-Zaken, found that out the hard way. Several days ago, footage of her trying on a swimsuit at a local shop emerged and was distributed quickly on messaging apps. Ben-Zaken filed a complaint with the local police where it was discovered that security footage from the store was leaked, allegedly by someone who hacked into the security camera (or its recordings) which then posted them online.

Why were security cameras placed in a way that allowed them to capture sensitive image is one question that is related to privacy, but in terms of security, many questions arise. Where was the footage stored? Who had access to it? Was the camera hacked directly (or accessed without permission) or simply the local PC where the footage was stored?

At best, the store owner was negligent. A more sinister scenario could be that a professional hacker hacked into multiple locations with the hope of capturing the footage of someone they can later extort. With growing adoption of mass-scale IoT and cloud-enabled surveillance, often sold as a service, this scenario is very plausible.

It is certainly not the first time that IP cameras have been hacked into. Several months ago, it was made public that a backdoor that existed in IP cameras by HIKvision allows even non-proficient hackers to access their footage. Even if cameras are protected by a password, these can be easily guessed (most people don’t bother changing the default factory settings, and these can be found online).

Cameras are mostly hacked into for the purpose of viewing the footage, but sometimes the purpose is the opposite – to delete it. Several months ago, the Italian branch of Anonymous remotely took control of a local police computer system in Correggio, Italy, and erased the speed camera ticket database, comprised of more than 40 gigabytes worth of infringement photographs.

The new reality is that due to poor security of cameras, we cannot maintain our privacy in the public space. We can predict that more and more cybercriminals will realize this and learn how to capitalize on this, MAKING the incident of Ms. Ben-Zaken the first of many. This could be prevented by a concentrated effort by privacy and security advocates, IoT service providers and the public – all demanding greater levels of security to ensure such incidents will not become the norm.

First publication: Securithings.com