The Paper reporter Zhuang An

  Hospital gynecological surgery was illegally broadcast live for people to watch in real time.

Such incidents have sparked public discussions on webcam security and privacy protection, and some netizens are worried that there may be a deeper industry chain behind them.

  A recent investigation by The Paper found that many domestic surveillance videos were disseminated on domestic and foreign online platforms, mainly on Twitter, Telegram and QQ.

There is a chain of interests behind this: some people install secret cameras or crack the permissions of other people's cameras, and then sell the camera IDs for real-time viewing, and some people specialize in offline agents for sellers.

  "If it doesn't make money, who is willing to sell this?" An agent said that the camera ID is also known as "Taiwan", and it only takes one day to sell the device to earn back the cost.

In addition to the gynecological operating table, there are also camera ID packages including toilets, dormitories, locker rooms, hotels, etc. The price ranges from 100 to 600 yuan, and some "boutique" IDs are fired to thousands of yuan.

  Some agents said that in order to maximize profits, the same ID will be resold to multiple people; and the nudity and pornographic scenes in the surveillance video will be recorded into videos, packaged and posted in group chats or websites, and can only be viewed by paying.

  The Paper's investigation found that the low cost of cracking and installing cameras, and the high prices of ID and related videos, stimulated many buyers to turn into agents.

Judgment documents show that a crime gang installed sneak camera in the hotel, and then resold it layer by layer, with more than 300 people offline.

  Behind the repeated black production, there are problems of supervision and accountability.

Some professionals dedicated to network security said that the "weak password" of the webcam leads to a low threshold for cracking, and even "undefended" in the Internet space.

And due to technical and historical reasons, manufacturers have difficulties in self-inspection, recall and accountability.

  Other professionals analyzed that the act of secretly filming the industry chain itself is flexible and concealed, and the qualitative and legal application of related acts often troubles case investigators; from the perspective of victims, due to psychological panic and time, money, money It costs a lot, and it may not be possible to cooperate with the collection of evidence or insist on accountability.

Toilets, bedrooms, operating tables may be peeped in real time

  "Only platforms with nudes will be sold. People who like to peep." On January 19, a seller advertised the camera ID they sold on Twitter.

  澎湃新闻记者以买家身份向该卖家咨询,对方称,因微信账号会被封,现在他只能通过推特和电报群聊引流。他称,花280元到480元可购买对应的“套餐”,通过对应的设备ID,用户便能实时监控他人卧室、厕所、按摩店、女更衣室、学校女宿舍、妇科检查科室、情趣酒店、民宿等场所,观看软件包括云视通、绿房子、乐橙、萤石云、360监控。

  除了一对一的售卖,还有卖家建立了专门用于交易的群聊和网站。

  在加密聊天软件Telegram上,记者加入了一个群成员超过8000人的群聊,发现成员均为禁言状态,群主会分享通过摄像头录制的色情视频,如想看更多刺激画面,则要交钱“赞助”。

  群主称,该群的监控视频源自自行安装的偷拍摄像头。“就是正常的网上卖的家庭摄像头。”该群主称,安装者将摄像头安装到酒店隐蔽的位置,通过官方软件可以观看实时监控和云回放。

  该群主称,每个公司摄像头软件使用方式不一样,以前主流的可用来偷拍的是360摄像头,目前主流的是萤石云、乐橙、TP-LINK安防,这三个软件在应用市场都能下载。

  “一般情况,你们接触到真实卖台的人都是代理,摄像头安装者本人是不会出来卖台的,机主发货、代理卖货,所以这价格不可能太便宜,再加上风险成本,如果不赚钱,谁愿意卖这个?”该群主称。

  另一个群成员超过3000人的视频分享群中,群主称,想看更多监控视频需要在网站购买邀请码、注册会员并选择“赞助”时长,再发送邮件到特定邮箱,再接收每日整理好在线观看地址。

  除了在境外平台推广售卖监控视频的情况外,疑还有部分卖家活跃在QQ上。

  澎湃新闻查询发现,QQ上有多个名为“云视萤石云宾馆监控”“云视家庭破解ID”的群聊,已无法加入,但根据群聊介绍可关联到相关的客服人员或者QQ号,对方均表示可以售卖摄像头ID或者录播视频,且称可出售针孔设备。

被轻易破解的摄像头弱口令漏洞

  除了私自安装摄像头偷拍,卖家还会通过软件破解他人摄像头观看权限,这种方式成本更低。

  "If you just buy monitoring and watch it yourself, you can just buy the cloud. If you want to sell Taiwan like me, you have to buy Taiwan sweeping software (that is, cracking software)." Agent Xiao Zhou told reporters.

  Xiao Zhou said that 610 yuan can buy a "sweeping platform" package, including sales channels and operation tutorials.

  "Taiwan-sweeping software can crack the surveillance cameras, and if it finds that there are 'boutiques' and interesting things, it can be sold with an ID." Xiao Zhou claimed that selling a table (ID) is a profitable business, and it doesn't take too much time. Do it part-time.

Selling an ID does not mean losing its authority, you can still resell it to others unlimited times.

  Xiaozhou showed his transfer records and said that on January 17, many people transferred money to him, with a total amount of more than 1,000 yuan; the chat records he showed showed that he also provided other sellers with the account number and password of the surveillance video.

  Another seller, Xiao Hong, claimed that he was the "top man" and that he taught other agents.

  The Paper found that Xiaohong's "Taiwan Sweeping Software" sold by Xiaohong contained download links for a series of toolkits such as scanners and weak password checking tools.

Xiaohong said that by installing these files, the weak password of the camera can be scanned and cracked, and the ID result can be obtained.

  An operation video released by Xiaohong shows that when you enter the corresponding device ID in the Yunshitong APP and click to connect, the interface immediately displays real-time monitoring in dozens of homes and hotels, and then clicks on another device ID to display the gynecological operating room. real time monitoring.

  Why can the so-called "sweeping software" easily crack other people's cameras?

Qu Zilong, a professional who has been devoted to network security for a long time and the founder of Network Jiandao, believes that this is related to the ecology of the Internet in its infancy.

  Qu Zilong explained to The Paper that for the convenience of customers, early manufacturers set initial passwords when the cameras left the factory, such as "66666666" and "88888888".

But many customers are not strong on the concept of password reset, which leads to the existence of weak passwords.

And as long as you know the brand of the camera, you can find the initial password on the Internet to crack the camera, which is why most cameras are currently controlled by others by cracking the password.

  "The threshold for cracking is low." Qu Zilong said.

  He said that the principle of cracking of cameras in public places is the same as that of home cameras. There are about three ways: the first is to crack the computer by attacking the surveillance machine, and the second is to crack the new generation of networked cameras, most of which are It is cracked by matching the factory default password and weak password of the camera.

  "The third method is to debug the backdoor by sniffing the manufacturer or crack it through specific vulnerabilities. Compared with the first two methods, this kind of attack is not common in the candid camera industry, and relatively speaking, there is a certain technical threshold." Qu Zilong said.

Crazy blacks with kinky fetishes and voyeurism

  Qu Zilong said that in the current camera cracking business, one way is to connect the camera to a designated account and sell the rights, and the buyer can watch it in real time; the other way is to directly record a specific picture and sell it.

  Peng Mei News combed through a number of referee documents and found that from using software to crack cameras or privately install secret cameras, to shooting sex or nudity videos, to selling and developing offline, it is an important part of camera secret photography.

  A judgment published by China Judgment Documents Network in 2018 shows that in early July 2017, Wang Moushuai, a man from Hebei, used software to crack the IP account and password information of other people's home cameras, and invaded and controlled the information systems of more than 30 home cameras.

  Wang Moushuai also set up 5 QQ groups on the Internet, packaged the cracking tutorials and IDs, and sold them to others at a price of 88 yuan per package.

The court held that Wang Moushuai constituted the crime of providing intrusion and illegal control of computer information system programs and tools, the crime of illegally controlling computer information systems, and the crime of selling pornographic materials for profit.

  Peng Mei News previously reported that a criminal ruling published by the Jining Intermediate Court in Shandong Province in February 2020 showed that Zhao and others had privately installed 360 cameras in hotel rooms in over 9 cities in China for the purpose of making illegal profits. , shoot obscene real-time videos of the sex of the guests, and sell the "invitation codes" for watching the above-mentioned obscene videos to more than ten people such as Shen and Cui through the Internet.

  Zhao and other 4 people promoted and developed more than 300 offline people through QQ and other software. One invitation code can be sold for more than 600 yuan, and each camera can generate up to 100 invitation codes for hundreds of people to watch online at the same time. Many agents Within a month or two, it made a profit of tens of thousands of dollars.

  Behind the low-cost and high-profit black production, there is a deformed voyeuristic desire.

  Xiao Lin, a buyer of Taiwan-sweeping software added by The Paper in the above group chat, said that he joined a lot of candid group chats, which contained very serious content.

He called himself "a good bite".

After finding that the Taiwan sweeping software could not be used, he reported the group owner's Alipay account.

  "The psychological deformities and special hobbies of some groups make some specific videos more valuable." Qu Zilong said that camera cracking has formed a vertical black industry, which has transformed from traditional personal cracking to spy on privacy to purely commercial illegal Buying and selling, commercial operations based on invasion of personal privacy.

The Dilemma of Accountability and Supervision

  In recent years, the relevant departments have stepped up efforts to crack down on the rectification of illegal illegal photography.

  For example, since May 2021, the Central Network Information Office, together with the Ministry of Industry and Information Technology, the Ministry of Public Security, and the State Administration for Market Regulation, have further promoted the centralized governance of black products such as camera voyeurism.

The Central Network Information Office instructed local network information offices to urge various platforms to clean up more than 22,000 pieces of relevant illegal and harmful information, dealt with more than 4,000 platform accounts and 132 groups, and removed more than 1,600 illegal products.

We interviewed 14 video surveillance APP manufacturers with potential leakage of private video information, and urged them to complete the rectification.

  But the black production of secret photography and voyeurism has not been eradicated.

  "The most difficult thing about cracking down on the secret photography industry chain is that the act itself is flexible and concealed. Suspects can engage in equipment modification, secret photography and secret recording activities at any time and place, which is really hard to prevent." Not long ago, Changzhou, Jiangsu Province Lu Yetao, deputy squadron leader of the Cyber ​​Security Brigade of the Wujin Branch of the Municipal Public Security Bureau, said in an interview with CCTV.

In addition, whether the equipment and equipment used by the suspect can be successfully seized and confiscated after the suspect arrives at the case, whether it can be identified as special equipment for eavesdropping and eavesdropping after the seizure, how to fix the illegally obtained and illegally controlled camera accounts and other electronic evidence, and the details of candid photography and secret recording Issues such as how to characterize the behavior involved and the application of the law are all perplexing the police handling the case.

  From the victim's point of view, defending rights is not easy.

  In an interview with CCTV, an associate professor at the School of Criminal Justice of China University of Political Science and Law said that many victims may also have certain obstacles in cooperating with evidence collection due to privacy protection concerns or other reasons, and it is difficult to form a complete chain of evidence when and where they were secretly photographed. .

  Linlin (pseudonym), a Shanxi girl who was secretly photographed by the landlord, told The Paper that the landlord had a lot of private videos of herself in the rental house, and she hesitated to expose it.

After the landlord was detained, she still felt panic from time to time. She always felt that her normal life was affected, and she was not confident about the follow-up accountability.

  Xiao Tang, a woman who stayed at a hotel in Chenzhou, Hunan in October 2021, found a pinhole camera inside the hotel, and found a pinhole camera after changing rooms.

She then called the police.

  On January 21, 2022, Xiao Tang told The Paper that the police had recently caught the candid photographer and transferred him for prosecution.

However, the hotel involved has never contacted her, and it is more difficult to pursue civil liability.

"There is not much compensation for this kind of thing in law, and I am not a local person. I have to hire a lawyer and go to the local area. I really don't have time to do these things," she said.

  There are also difficulties in the supervision of camera manufacturers and their self-regulation.

  Qu Zilong said, first of all, due to technical reasons, the self-inspection of the merchant may not necessarily find that the camera has been cracked.

Secondly, the login method of account and password lacks multi-factor risk control.

Finally, the first generation of cameras has the characteristics of "non-networked, non-cloud".

"It's possible that a small company goes out of business, but the cameras it sold before are still in use in the market. Manufacturers can't supervise, and considering the cost of installation and removal, it's unlikely that the cameras will be recalled."

  Qu Zilong emphasized that it is difficult to legally define the responsibility of camera manufacturers. Before the promulgation of regulations such as the "Data Security Law", the two parties who bought and sold cameras only belonged to a sales contract, and now the law cannot be used to pursue historical responsibility.

  "For example, I bought a camera from you 5 years ago, and there is a 'three guarantees' clause between the two of us, that is, you have to ensure that the camera is available and not broken. You (the seller) need to provide the buyer with a complete warranty service. , but does not include non-disclosure of privacy, cannot be cracked by hackers, compliance with relevant privacy protection regulations, etc." Qu Zilong said that there was no requirement for non-disclosure of privacy in the product design of cameras in the past, so (at that time) companies were very There is little incentive to increase the cost of the product according to this specification.

  Qu Zilong suggested that whether it is cameras, social accounts, or website bills, in theory, passwords should be changed regularly, especially for commonly used accounts related to money and privacy.

For unused accounts or functions, you should log them out directly, or turn off the functions.

Keywords: