The BBC has reported that the video feeds from thousands of Trendnet home security cameras have been freely available without a password. The cameras are typically used to allow owners to remotely monitor their homes, bedrooms, children, or offices; but have actually allowed anyone to look in.
The vulnerability was published on the Console Cowboys website on January 10. “There does not appear to be a way to disable access to the video stream,” wrote the author. “I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)”
Since January 12, Trendnet has been developing and releasing updated firmware for 26 vulnerable models. One problem, however, is that only about 5% of users registered their purchase, so the company is unable to directly contact at-risk customers. Meanwhile, vulnerable feeds can be easily found via specialist search engines such as Shodan. “Last I ran this there was something like 350 vulnerable devices that were available via shodan. Enjoy,” wrote Console Cowboys. That 350 rapidly grew. “Within two days, a list of 679 web addresses had been posted to one site, and others followed”, reports the BBC.
This issue raises a number of security and privacy questions, many of which have been taken up by lawyer and privacy/data protection expert Tara Taubman. One is the whole privacy/surveillance question: is the risk worth the surveillance, she asks. And how should the UK's ICO react – how can he ensure that users are informed of such failures? The lawyer has also written to Trendnet asking why they cannot be more proactive, and for example remotely disable the feeds and replace them with a static screen explaining the exploit and how to update the firmware. “Apart from the privacy issues,” she wrote, “any employee or ex-Trendnet employee with the address of the places, can just watch out when the place is empty for robbery.”
Meanwhile, all Trendnet users should visit the Trendnet website for a critical firmware update.