I haven’t been able to find a reliable source for this story, other than that it was recounted by Leo Laporte on the Security Now podcast episode #561. However, the scenario illustrates a couple of interesting risks from using Smart devices, where the devices may have been returned by an original purchaser, and then purchased by somebody else.
During a Q&A session about webcam security, Leo observed:
“…One of our fans earlier today said he bought a security camera on Amazon, didn’t like it, returned it, but he’d already installed the software. And a couple of days later he started getting notifications from the camera, and he’s looking into somebody else’s bedroom.”
This is not an unlikely scenario if the vendor allows returned items to be resold without resetting any of the parameters in their “mother ship’s database”, such as email addresses for notifications, etc. In fact, if an attacker knows that this is a vulnerability in any vendor’s products, it could buy a number of devices, set them up, return them and then opportunistically await the feeds or notifications for future users of the devices.
Of course, we hope that vendors are notified or better yet, discover these problems in their own testing. But this doesn’t seem to be the case with some products. I suspect this will become a common problem for new versions of established products that understandably want their devices to work with other Smart devices in peoples’ homes or offices.
Smart Device Owner Tips
In any case, if you are thinking about buying a webcam (or any connected, Smart device), make sure that when you install it, you review ALL of the settings, in case the device was previously set up for use by somebody else.
Similarly, and just as importantly, if you’re going to return a Smart device, it’s a very good idea to reset the device, if possible, but also reset ALL of the settings you might have configured using a web interface that may have stored your information in the vendor’s database.