Hackers Infiltrate Home Security Camera Systems

A seller of Internet-based home security cameras and baby monitors has settled with the Federal Trade Commission (FTC) after private video content was accessed by hackers.

TRENDnet sells a range of "SecurView" cameras that allow customers to monitor activity in their homes through the Internet. Suggested uses include monitoring a baby or checking a home's security while away on vacation. The company repeatedly used the word "secure" when marketing its products.

Unfortunately, the security had three major shortcomings. First, there was a design flaw that allowed hackers to bypass a login system and access live feeds.

Second, the company sent login details to customers using a plain text, unencrypted form -- meaning anyone who intercepted the communication would be able to read the information.

Finally, TRENDnet  produced dedicated special mobile applications that stored login details in plain text form -- meaning anyone who got hold of the device could access the camera feeds. (Source: ftc.gov)

Hundreds of People Exposed Online

In January 2012, a hacker shared details of how to exploit TRENDnet's security flaws. A group of hackers then posted links to footage from almost 700 home cameras, letting anyone watch users' private content. Some of that content showed sleeping babies and children playing.

Under the settlement, TRENDnet must contact all customers, alert them to the problems, issue security fixes, and offer support for dealing with the fixes for the next two years.

TRENDnet Under Watch For Two Decades

The firm will also have to undergo independent security audits every two years until 2033 and carry out a full security review.

The settlement also bans it from exaggerating its security features.

Strictly speaking, the FTC action is based on the fact that the company made false claims about its security, not the breaches themselves. (Source: theregister.co.uk)

The fine print of the settlement indicates that TRENDnet isn't admitting any legal responsibility for the security breaches, meaning this can't be used as evidence in any future civil cases.

The FTC pointed out that this was its "first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices -- commonly referred to as the 'Internet of Things.'"