PETALING JAYA, Nov 13 — The general thought of securing a home or premise is to install closed-circuit television (CCTV) cameras which can be monitored by a smartphone or a laptop.

But just when you believe you can now have peace of mind, spyware website Insecam.com revealed how easy it is for one to crash into a surveillance system and make the footage public on the Internet.

The website is streaming more than 500  surveillance footages in Malaysia, including Kuala Lumpur, Perak, Penang, Johor Baru and Cyberjaya.

An IT consultant alerted by Malay Mail analysed the website and found those featured had all used similar usernames and passwords in the combinations. They were username and password “admin”; username “admin” and password “12345”; username “admin” and the password left blank; and username “admin” and password “abcd1234”.

He believed owners who wanted to monitor their homes or premises would log onto a particular website and this allowed Insecam.com to obtain the footage easily.

He also said the people behind Insecam.com were not hackers but “those who had experience in setting up networks or are CCTV solution providers”.

Requesting anonymity as he was also in the business of installing surveillance systems, the 33-year-old consultant said such spyware websites were able to detect default login and passwords,  enabling them to enter the systems.

He said such acts were made easy through Internet Protocol (IP)-based CCTV camera systems.

“CCTV solution providers will usually hand a general login and password to the owner to access the software system from afar. The password is supposed to be changed from time to time,” he said.

“The problem starts when these general passwords are left unchanged or are changed to common passwords which are easily tapped.”

He said there were other websites like Insecam.com that were able to trace and capture footage from systems using common login and passwords.

“Once the access is enabled, footage connected to the IP is accessible,” he said.

The consultant said many solution providers would suggest the original username and password be retained to make “future troubleshooting easier”.

“The solution providers will be able to conduct trouble-shooting remotely. Otherwise, they will need to go to the location which is cost and time-consuming,” he said

He said a secure password should be a complex combination of letters and numbers.

“For better protection, passwords should also be changed every two to three months,” he said.