Microsoft Subnet An independent Microsoft community View more

Unpatched TRENDnet IP cameras still provide a real-time Peeping Tom paradise

Google map + TRENDnet security camera vulnerability = Hours of voyeurism and Peeping Tom paradise

Security is the reason to install a security camera, but if that live-streaming footage is made public for would-be criminals to study, then doesn’t pose a security risk? If a security camera is installed in a home, whether it is to watch the baby or the babysitter, if everyone who wanted to could also watch the surveillance footage as it happens, then isn’t that a privacy risk? Almost a year ago, we looked a security vulnerability in TRENDnet streaming IP cameras that allow voyeurs to spy in real time into homes and offices. The Google map below shows TRENDnet cameras that still provide a Peeping Tom paradise and allow voyeurs to secretly armchair spy on strangers.

The map is part of an awareness campaign. “Lots of TRENDnet cams have a severe flaw allowing access without password. We want to raise awareness about it," says @TRENDnetExposed. "Our bot will continue crawling and publishing affected cams" for #TRENDnetExposed.

It’s been over five hours since I emailed TRENDnet, made the company aware of the 406 links to vulnerable cameras posted on Pastebin, and the Google map of vulnerable TRENDnet Cams worldwide, as well as the awareness campaign. The company claimed to have done everything it could, but some cameras were not registered and therefore the owners couldn't be contacted to tell them about the vulnerability and the need to update the firmware. I asked if that is that still the reason there are so many TRENDnet security cameras that are still vulnerable?

On January 10, 2012, console cowboy identified a security vulnerability in TRENDnet streaming IP cameras. On 2/7/2012, TRENDnet said its IP camera firmware eliminates security threat. On 2/14/12, the president of TRENDnet wrote about the IP camera hack. "It has come to TRENDnet’s attention that hackers may be able to gain unauthorized access to TRENDnet’s IP Camera video feeds for select models sold between April 2010 and February 2012. Contrary to many published articles, TRENDnet took immediate action to eliminate this threat." As you know, it's now January 2013.

Busy animal hospital TRENDnet IP cam security vulnerability

Since there was no reply from TRENDnet, I next contacted the busy Florida veterinary clinic from which the images above were captured. They had covered the camera and said I was the fifth person to call them and let them know. When I asked if their security camera had been registered, if not then perhaps that is why the firmware was not updated to patch this Peeping Tom hole, I was referred to their IT person who installed it and would know. He didn’t return my call.

It's been nearly a year after the TRENDnet security camera vulnerability became public, so let's try to raise awareness about the privacy-decimating issue. They say a picture is worth a thousand words, so now these numerous TRENDnet security video camera screenshots can do the talking.

Sleeping baby as seen with no password required via TRENDnet security camera flaw
TRENDnet IP Camera security flaw allows Peeping Toms into baby cribs

Since the cameras are located all over the world, checking them out revealed lots of snow, darkness, businesses that still have up Christmas tree displays, lots of cameras on pet cages, pets, nurseries and kids rooms as well as on baby cribs. No password was required to access the security camera streams.

TRENDnet IP security vulnerability, peeping into home private life
Shredding privacy and playing Peeping Tom via security hole in TRENDnet IP security cameras
TRENDnet security camera, no password required to peek inside homes, watch pets

Despite the timestamp, the image below was captured this morning from a TRENDnet IP security cam inside someone's home due to vulnerability. If you recognize this room and can tell the people to whom it belongs about the firmware update, perhaps you can also help them setup the correct timestamp?

despite timestamp, captured this morning from TRENDnet IP security cam inside someone's home due to vulnerability

Do you suppose the employees in the images below know that the offices are being watched by cameras?

Spying on employees in offices, no password required

Do you suppose the people have that uncanny feeling like someone is watching them?

Camera surfing, no password required for TRENDnet IP security cameras
Mohawk Mountain ski lift

Lastly, you know how there are all those warning about photographers, videographers or other potentially suspicious folks around airports? How handy is this surveillance for actual bad actors?

Hartford airport via TRENDnet security camera

This was the original article: Backdoor in TRENDnet IP Cameras Provide Real-Time Peeping Tom Paradise? As the captured screenshots of live streaming security video clearly illustrate, the answer is yes as to if the TRENDnet cam vulnerability may remain an exploitable Peeping Tom paradise for a long time. If you know anyone who uses a TRENDnet IP security camera, please tell them to update the firmware so strangers can stop spying on them.

Update from TRENDnet IT Director Brian Chu:

TRENDnet learned the security vulnerability on affected IP cameras in late January, 2012.

We took following actions:

  1. Identify affected TRENDnet IP cameras.
  2. Halt shipping on affected cameras.
  3. Affected cameras were taken off shelf from worldwide retail outlets.
  4. Issued press releases regarding the potential security breach to general public.
  5. Issued firmware security patch for the affected cameras in early February, 2012.
  6. Notified worldwide business partners regarding affected cameras, asking them to notify their end-user customers.

TRENDnet is doing everything it can to notify all TRENDnet IP camera users to update the critical security firmware on affected cameras. Obviously, it is an ongoing project.

We appreciate your help in notifying TRENDnet IP camera users.

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the discussion
Be the first to comment on this article. Our Commenting Policies