FTC cracks down on seller that left in-home security cameras exposed to hack
A California company that sells internet-connected security cameras has been forced to beef up its security practices after a hacker exposed a major flaw in its products.
On Wednesday, TRENDnet agreed to settled charges brought by the Federal Trade Commission (FTC), which stemmed from a 2012 breach when consumers' at-home video feeds were made viewable online.
According to an FTC complaint (PDF), 20 models of TRENDnet's internet protocol (IP) cameras were vulnerable to being hacked because of a flaw in the products' direct video stream authentication (DVSA) setting. Due to the flaw, an unauthorized user accessed live video feeds, which were hosted at a public web address without entering camera owners' login credentials, the commission said.
In January 2012, a hacker, known by the online handle “someLuser,” successfully exploited the vulnerability, and posted information about the flaw online. The disclosure quickly went viral, which led to other users posting URLs to the live feeds of nearly 700 IP cameras – putting consumers' home lives on display via the web.
According to the complaint, the feeds showed everyday activities, like babies sleeping in their cribs, children playing or adults doing mundane tasks throughout their homes.
In addition to the breach, the FTC alleged that since January 2011 two TRENDnet mobile applications, the SecurView and SecurView PRO apps for Android, stored user login credentials in clear, readable text on consumer devices. The apps allowed consumers to access their IP camera feeds via their mobile devices.
The FTC added that login credentials of customers were also transmitted over the web in the same unsecure format.
TRENDnet, which failed to complete vulnerability and penetration testing of its software or to employ “reasonable or appropriate” code review and software testing, could have otherwise avoided the major breach, according to the FTC.
Under the settlement, which is subject to public comment for 30 days before it is finalized by the commission, TRENDnet must establish a comprehensive security program that addresses the privacy and security risks of its cameras. The Torrance, Calif.-based company must also notify customers about software updates (available since 2012) to correct the issue and offer them free technical support for the next two years to help in updating or uninstalling the IP cameras.
TRENDnet would also be subject to third-party security program audits every two years for the next 20 years, the FTC said.
In a Thursday interview, HD Moore, chief research officer at Rapid7, told SCMagazine.com that the security issue is an easy one to exploit – and one that impacts web-connected cameras frequently.
“The core issue is you can access the live camera feed without authentication, which is actually very common,” Moore said. “But it's the first time I've ever seen a regulator step in for this kind of a security issue. It's surprising that it's actually [gotten] to this point [with the] FTC, and it's actually a good sign.”
In a statement on its website, TRENDnet said that it immediately “initiated every effort to respond and resolved the  hack,” including releasing updated firmware for its impacted products and halting product shipments at the time.
The company said the case has, ultimately, improved its security for current and future products.
“The product hack and the subsequent FTC action was used as an opportunity to improve best practices which support augmented product security for existing and future products,” TRENDnet's statement said. “Furthermore, a systematic security review process from an accredited third party entity helps maintain best practices into the future."