Trendnet home security cams not secure, feeds exposed online

Home security is a multibillion dollar industry, and it’s one that keeps on growing. As we fill our houses and apartments with creature comforts and expensive gadgets, the benefits of technology in safeguarding our homes and our families become increasingly obvious, particularly as the cost of such technologies continues to fall.

In recent years, home camera systems have grown in popularity; many systems can be purchased at relatively low cost, and can be easily set up and managed through apps and home computer programs. There are wired and wireless systems, cameras with motion detectors, and some even offer the ability to remotely interact with each camera via a web-based interface, when you’re on holiday or at work, for example.

It all sounds very nice, very convenient and reassuring – but the problem with security systems is that they aren’t always as secure as they should be. BBC News revealed today that numerous cameras offered by California-based Trendnet, which specialises in networking equipment, are vulnerable to a major flaw, which allows anyone to view the feeds online.

Worse still, the vulnerability has already been seized upon, with thousands of links to video streams of users' camera feeds having been shared on numerous websites.

The flaw was first identified by an unnamed website on 10 January, when a blogger found that anyone with the correct URL for a camera could view it online, even if the system had been protected with a password. It’s been reported that the URL for each camera is also very easy to work out, being largely based upon a user’s IP address.

Within 48 hours, hundreds of feeds had been exposed online, with some even including Google Maps data to identify where the feeds were located (extrapolated from the IP address). One forum included comments from users who were watching a man getting naked in his home; in another feed, a user wrote “Baby Spotted”. Indeed, given that some parents install security systems inside their own homes, hoping to improve the safety and security of their children, it’s unsurprising – although deeply worrying – that some users have reported being able to see feeds from children’s bedrooms.

Zak Wood, Trendnet’s director of global marketing, stated to BBC News that the company has been aware of the problem since 12 January, and has identified 26 cameras in its range that are affected by the flaw. Seven models have received updated firmware so far, with further updates for other vulnerable models currently in testing. The company claims that the issue arose as a result of a "coding oversight" that is being reviewed internally.

Despite being aware of the problem for almost four weeks, Trendnet hasn’t yet issued an official public statement or contacted its customers to explain the issue. Wood stated that fewer than 50,000 customers will have been affected by the vulnerability, adding: “We are just getting to that point to be able to succinctly convey more information to the public who would be concerned. We are planning an official release of information to the public concerning this.”

Report a problem with article
Previous Story

SFR reveals Android update schedule, outs Android 4.0.5

Next Story

Windows Phone retail staff incentives heading for Europe

17 Comments

Commenting is disabled on this article.

This is So creepy. This is why I refuse to keep any of my security cameras in my house and keep them all out of the house and only pointing on the drive way or in my garage. if you want to look around google just google

/anony/mjpg.cgi

Yawn. Problem was found, company was made aware of problem, company is in the process of correcting said problem. Company would like to remain as quite as possible about problem until they have it resolved for all affected products, big deal, par for the course.


knighthawk said,
Yawn. Problem was found, company was made aware of problem, company is in the process of correcting said problem. Company would like to remain as quite as possible about problem until they have it resolved for all affected products, big deal, par for the course.

Idiot!

knighthawk said,
Yawn. Problem was found, company was made aware of problem, company is in the process of correcting said problem. Company would like to remain as quite as possible about problem until they have it resolved for all affected products, big deal, par for the course.

Idiot!

knighthawk said,
Yawn. Problem was found, company was made aware of problem, company is in the process of correcting said problem.

Company's QA should have caught that passwords weren't needed/used by their own firmware and code before shipping. Period.

Class action lawsuit, open and shut case. That's why they're keeping mum about it.

It's the norm, but it's not "perfectly acceptable", quite the opposite. But companies and their complicit media outlets try to convince the gullible among the public to accept it.

Remember the first time your heard all the side effects from a medication commercial, where the side effects are worse than the disease? Now you're used to hearing it on every commercial and just as planned, you're desensitized.

Get upset, speak up, punish the company for doing the wrong thing and send a message to other companies "it's not acceptable" to screw people.

Dismounts soapbox...and sticks the landing. ;-)

I don't think you can compare the two - FDA now makes it mandatory to list side effects on all prescription drug ads. But we get your point.

sanke1 said,
It's perfectly acceptable norm not to publicly acknowledge a problem.

Sad though.

I think that if companies can't regulate themselves then maybe gouv should put some pressure on them. When a product doesn't work as intended a company should have some obligation by laws to resolve the situation as quickly as possible and to publicly acknowledge the problem via at least its website.

Too much companies refuse to publicly acknowledge and do anything about problems with its products.

People pay the have the right to expect a minimum of support.

Disturbing hack and even more disturbing that the company didn't do anything about it right away and still hasn't done a thing.

Simon- said,
Disturbing hack and even more disturbing that the company didn't do anything about it right away and still hasn't done a thing.

Realistically though, are you surprised?