It sounds like a simple way to keep an eye on your house, baby, pet or whatever -- just hook up a simple video camera that lets you monitor the goings-on from wherever you may be, courtesy of the Internet.
But the Federal Trade Commission says that's not how things turned out for customers of TRENDnet's SecurView cameras. Although the company claimed the cameras were secure, the FTC says faulty software left them open to viewing -- and sometimes listening -- by anyone on the Internet.
So, consumers who took comfort in being able to keep an eye on their property may have been unwittingly making it easy for burglars and worse to also eyeball their earthly treasures and even listen in on private conversations.
If you use an "IP Camera" -- one connected to the Internet -- you might want to review "Using IP Cameras Safely," a new guide published by the FTC.
Internet of Things
It's the first FTC case to be brought against the growing family of everday products that use the Internet -- generally called the "Internet of Things."
“The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet,” said FTC Chairwoman Edith Ramirez.
In its complaint, the FTC alleges that, from at least April 2010, TRENDnet failed to use reasonable security to design and test its software, including a setting for the cameras’ password requirement. As a result, hundreds of consumers’ private camera feeds were made public on the Internet.
According to the complaint, in January 2012, a hacker exploited this flaw and made it public, and, eventually, hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives.
Once TRENDnet learned of this flaw, it uploaded a software patch to its website and sought to alert its customers of the need to visit the website to update their cameras.
The FTC also alleged that, from at least April 2010, TRENDnet transmitted user login credentials in clear, readable text over the Internet, even though free software was available to secure such transmissions. In addition, the FTC alleged that TRENDnet’s mobile applications for the cameras stored consumers’ login information in clear, readable text on their mobile devices.
Under the terms of its settlement with the Commission, TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit. In addition, the company is barred from misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.
In addition, TRENDnet is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.
The settlement also requires TRENDnet to notify customers about the security issues with the cameras and the availability of the software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.