FTC Steps in On TRENDNet IP Camera Issue... After TRENDNet Fixes It...

broken-lock

In Mid-2011 it was revealed that many Supervisory Control and Data Acquisition (SCADA) devices were visible on the internet with a simple Google search. What was even more terrifying was that many of these devices still had the default username and password set and were visible in the search results. In 2009 someone with the same idea developed a search engine that was able to find connected devices as a service making it easier to find them and… exploit them. In January of 2012 a security flaw was found in the way that many (if not all) connected IP cameras operated. The flaw was originally found in a TRENDNet’s IP camera (a discontinued one) and it was a serious one.

The search engine that allowed this new and focused type of search is the paid service Shodan. Shodan allows you to search for anything from web servers to refrigerators (it says so on their site).  Shodan has already been used by malicious individuals to “creep” hack into baby monitors and IP cameras to watch people on the other end. One man in Houston found someone had hacked the baby monitor and camera in his 2-year old daughter’s room.

Now with this in mind we have to wonder how in the world a flaw like the one found in TRENDNet IP cameras could ever have made it past quality control. The flaw is very simple. It seems that the webserver in the cameras has an anonymous directory which has no permissions on it at all. You can disable the guest account or give it a password and this is still open to view. Once you identify the IP address of the camera you can map it from there. As an example; the camera at http://x.x.x.x/ can be accessed by hitting the anonymous directory at http//x.x.x.x/anony/mjpg.cgi (or jpgview.htm, mjpeg.cgi, view2.cgi) and if you are looking at one of the affected cameras then you can get a video stream returned from the camera without the need to authenticate at all. The flaw does not work on all TRENDNet IP cameras; we tested on ours and even with using the anony directory the web server still asked for authentication. Still it should not be available in ANY IP camera.

According to TRENDNet as soon as they heard about the hack they pushed out new firmware and also stopped shipping product with the affected firmware. Information on how to fix the issue is still available on their website for the cameras in question. Still the FTC (Federal Trade Commission) felt they needed to do something. They have ordered TRENDNet to improve security across the board on all of their connected camera devices. What is interesting about this is that TRENDNet appears to be working on that already and the FTC’s ruling does not cover any of the other companies that have the same flaw in them and expose people’s homes to others. There is as chance that it could be a way to send a message without a fight, but it is much more likely that they are just doing this so they look like they are doing something. We certainly hope that it is the former as there are far too many companies that allow these security flaws to exist in their devices (some very knowingly). This type of behavior should not be allowed and companies that do not ensure their products are not open to anyone should be held accountable. Then again, if the companies that make the control devices that run critical infrastructure services are not held accountable… why should these guys be?

Tell us what you think in our Forum

No comments

Leave your comment

In reply to Some User