You’re on Candid Camera

In the words of the old TV show, “Smile. You’re on Candid Camera.”  But according to an FTC lawsuit alleging lax security by a company selling internet cameras, for the hundreds of consumers whose private lives were watched online, there was nothing to smile about.

California-based TRENDnet sells tech gear, including IP cameras many buyers use for security purposes — for example, to monitor the baby or their house or business while they’re out.  Users could set the camera up and watch the live feed online from another location.  But the FTC says there was an “oops” and it was a real whopper.  Due to a flaw in the software, the online feed could be watched (and in some cases, heard) by anyone with the camera’s internet address.

The consequences to consumers weren’t hypothetical.  The FTC says a hacker publicized the flaw in January 2012.  It didn’t take long for others to post links to the live feeds of nearly 700 cameras — meaning that anyone so inclined could secretly watch other people’s babies in their cribs, someone else’s kids playing, or the day-to-day goings-on in users’ homes.

How did that happen?  According to the FTC, TRENDnet failed to take reasonable steps to develop and maintain secure software.  By default, TRENDnet required users to enter login credentials (a user name and password) to access their feeds.  But due to the company’s security failures, there was a “backdoor” that allowed hackers to visit a website where the camera feeds could be accessed without ever entering login credentials.  What’s more, even where login credentials were used, the company transmitted them in clear, readable text over the internet, despite free access to software that would have secured the information. That made the cameras even more vulnerable.  Compounding the problem was that the company provided users with a setting to turn off the login credentials requirement.  That, says the FTC, gave reasonable consumers the impression they were in control of who could view their feed, not some random Joe anonymously watching in private.

TRENDnet also provided apps so people could view their feed via a mobile device.  Those apps required login credentials the first time, but stored them on the device so people wouldn’t have to enter them after that.  There again, the FTC says the company failed to secure the credentials and stored them in plain text, creating an additional security loophole.

Oh, and did we mention that many of the cameras were marketed under the trade name “SecurView” and featured a sticker with the word SECURITY next to a picture of a padlock?

According to the complaint, TRENDnet’s express and implied claims that the company had taken reasonable steps to ensure users’ security were false.  Also false:  the representation that the company would honor the security setting users chose.  In addition, the complaint alleges that when taken together, what the company did — and didn’t do — failed to provide reasonable security to prevent unauthorized access to live feeds.  That amounted to an unfair practice, says the FTC.

To settle the case, TRENDnet will have to implement a comprehensive security program designed to protect data and address security risks that could lead to unauthorized access on any of the company’s internet-accessible products, not just IP cameras.  TRENDnet also will have to get independent third-party security assessments every other year for the next 20 years.  In addition, they have to notify consumers about the problem, tell them about the corrective security update, and offer free technical support for two years to help people update or uninstall their cameras.

What does the FTC want companies to learn from this settlement?  If you sell internet-connected devices, take reasonable steps to protect users’ privacy and security.  Whether you sell hardware, software, or both, it’s unwise to market products with gaping holes hackers can exploit.  Furthermore, have a process in place to find out about flaws that may affect your products and services.  According to the FTC’s complaint, TRENDnet didn’t actively monitor discussions of its products online, and thereby delayed the chance to find out about the problem and fix it pronto.

If you own a TRENDnet IP camera, make sure you have the company's security patch. If you bought a similar camera from another company, read Using IP Cameras Safely for tips on reducing the risks.  You also can file an online comment about the proposed settlement.  The deadline is October 4th.

While we're on the subject of home technology, check out the latest on the FTC's Internet of Things workshop, set for November 19, 2013, in Washington, DC.