Security is the reason to install a security camera, but if that live-streaming footage is made public for would-be criminals to study, then doesn’t pose a security risk? If a security camera is installed in a home, whether it is to watch the baby or the babysitter, if everyone who wanted to could also watch the surveillance footage as it happens, then isn’t that a privacy risk? Almost a year ago, we looked a security vulnerability in TRENDnet streaming IP cameras that allow voyeurs to spy in real time into homes and offices. The Google map below shows TRENDnet cameras that still provide a Peeping Tom paradise and allow voyeurs to secretly armchair spy on strangers.
The map is part of an awareness campaign. “Lots of TRENDnet cams have a severe flaw allowing access without password. We want to raise awareness about it," says @TRENDnetExposed. "Our bot will continue crawling and publishing affected cams" for #TRENDnetExposed.
It’s been over five hours since I emailed TRENDnet, made the company aware of the 406 links to vulnerable cameras posted on Pastebin, and the Google map of vulnerable TRENDnet Cams worldwide, as well as the awareness campaign. The company claimed to have done everything it could, but some cameras were not registered and therefore the owners couldn't be contacted to tell them about the vulnerability and the need to update the firmware. I asked if that is that still the reason there are so many TRENDnet security cameras that are still vulnerable?
On January 10, 2012, console cowboy identified a security vulnerability in TRENDnet streaming IP cameras. On 2/7/2012, TRENDnet said its IP camera firmware eliminates security threat. On 2/14/12, the president of TRENDnet wrote about the IP camera hack. "It has come to TRENDnet’s attention that hackers may be able to gain unauthorized access to TRENDnet’s IP Camera video feeds for select models sold between April 2010 and February 2012. Contrary to many published articles, TRENDnet took immediate action to eliminate this threat." As you know, it's now January 2013.
Since there was no reply from TRENDnet, I next contacted the busy Florida veterinary clinic from which the images above were captured. They had covered the camera and said I was the fifth person to call them and let them know. When I asked if their security camera had been registered, if not then perhaps that is why the firmware was not updated to patch this Peeping Tom hole, I was referred to their IT person who installed it and would know. He didn’t return my call.
It's been nearly a year after the TRENDnet security camera vulnerability became public, so let's try to raise awareness about the privacy-decimating issue. They say a picture is worth a thousand words, so now these numerous TRENDnet security video camera screenshots can do the talking.
Since the cameras are located all over the world, checking them out revealed lots of snow, darkness, businesses that still have up Christmas tree displays, lots of cameras on pet cages, pets, nurseries and kids rooms as well as on baby cribs. No password was required to access the security camera streams.
Despite the timestamp, the image below was captured this morning from a TRENDnet IP security cam inside someone's home due to vulnerability. If you recognize this room and can tell the people to whom it belongs about the firmware update, perhaps you can also help them setup the correct timestamp?
Do you suppose the employees in the images below know that the offices are being watched by cameras?
Do you suppose the people have that uncanny feeling like someone is watching them?
This was the original article: Backdoor in TRENDnet IP Cameras Provide Real-Time Peeping Tom Paradise? As the captured screenshots of live streaming security video clearly illustrate, the answer is yes as to if the TRENDnet cam vulnerability may remain an exploitable Peeping Tom paradise for a long time. If you know anyone who uses a TRENDnet IP security camera, please tell them to update the firmware so strangers can stop spying on them.
Update from TRENDnet IT Director Brian Chu:
TRENDnet learned the security vulnerability on affected IP cameras in late January, 2012.
We took following actions:
- Identify affected TRENDnet IP cameras.
- Halt shipping on affected cameras.
- Affected cameras were taken off shelf from worldwide retail outlets.
- Issued press releases regarding the potential security breach to general public.
- Issued firmware security patch for the affected cameras in early February, 2012.
- Notified worldwide business partners regarding affected cameras, asking them to notify their end-user customers.
TRENDnet is doing everything it can to notify all TRENDnet IP camera users to update the critical security firmware on affected cameras. Obviously, it is an ongoing project.
We appreciate your help in notifying TRENDnet IP camera users.
Like this? Here's more posts:
- Critical Infrastructure Malware Infections: From ICS-CERT report to SCADA Strangelove
- Police State starts in tiny Arkansas town
- IE fix easily broken; Espionage hacker gang has endless supply of zero-days
- Chrome, Firefox, IE to block fraudulent digital certificate
- Terrorism Fear button and funding: Ridiculous DHS spending
- Microsoft issues quick fix for critical zero-day hole in IE
- Airborne intelligence: U.S. Army building NextGen surveillance planes
- TSA: All your travel are belong to us?
- Intelligence report predicts IT in 2030, a world of cyborgs with Asia as top power
- Future smart spies: Innovative leaps in 2012
Follow me on Twitter @PrivacyFanatic
Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. Smith has a diverse background in information technology, programming, web development, IT consulting, and information security. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.
Smith is an independent contractor and is not affiliated with any vendor that makes or sells information technology.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited