FTC Forcing TRENDnet to Suffer 20 Years of Auditing
A security flaw found in SecurView IP cameras provided by TRENDnet has pushed the company into settling with the Federal Trade Commission. The agency recently filed a complaint (pdf), alleging that the networking company was misrepresenting the camera's software as "secure". The reported flaw led to the access of nearly 700 active cameras in January 2012, many of which were published on the Internet.
TRENDnet reportedly settled with the FTC on Wednesday, agreeing that it will not represent the IP cameras' software as secure. The company must also address all security risks and help customers fix their software presumably free of charge. More importantly, the company must obtain an independent assessment of its security programs every year for the next 20 years. Ouch.
TRENDnet's security nightmare began back on January 10, 2012 when a blogger named "SomeLuser" explained how he hacked into the then-latest firmware of TRENDnet's TV-IP110w camera. He discovered that he could activate a live stream by merely making a "mjpg.cgi" request to the device's IP address, thus bypassing the need to enter a password. More specifically, the hacked firmware revealed an "anony" directory within the cgi-bin directory located on the camera's http server root directory, pinpointing the exact source of the stream.
After that initial discovery, he then went into the control panel and set up several different feeds, and protected those accounts with passwords. He made the same cgi requests for those accounts and discovered that he had access to those feeds without needing to supply a password. "There does not appear to be a way to disable access to the video stream, I can't really believe this is something that is intended by the manufacturer," he said. "Let's see who is out there."
"By default, respondent has required users to enter a user name and password ('login credentials'), in order to access the live feeds from their cameras over the Internet. In addition, since at least February 2010, respondent has provided users with a Direct Video Stream Authentication setting ('DVSA setting'), the same as or similar to the one depicted below," the FTC states in its complaint. "The DVSA setting allows users to turn off the login credentials requirement for their cameras, so that they can make their live feeds public. To remove the login credentials requirement, a user would uncheck the box next to the word 'Enable,' and then 'Apply' this selection."
SomeLuser then created a python script and jumped into the Shodan search engine using the "netcam" search term. That led to the access of around 350 TRENDnet IP camera live feeds that should have been secured with a password. Naturally once this information went viral, the TRENDnet camera hacking spree began, with over 700 camera feeds accessed. One in six results on Shodan supposedly pulled up unsecure feeds of homes and offices.
The FTC alleges that TRENDnet transmitted user login credentials in clear, readable text over the Internet, and stored user login credentials in a clear, readable text on the user's mobile device. The FTC also alleges that TRENDnet failed to implement a process to actively monitor security vulnerability reports from third-party researchers, academics, or other members of the public. The company also allegedly failed to employ reasonable and appropriate security in the design and testing of the software that it provided consumers for its IP cameras.
The FTC said that twenty TRENDnet IP cameras are affected by the security flaw, which are listed at the end of the FTC's complaint. However the FTC also acknowledges that TRENDnet responded to the reported breach on January 13, 2012 by issuing new firmware eliminating the vulnerability, posting notices on its website, and distributing emails to registered users.
- 10 Pros and Cons of Jailbreaking Your iPhone or iPad
- How HTTPS Safeguards Your Browsing
- Email Encryption: Worth The Trouble?