February 7, 2012
Glitch Lets Web Users Watch Video From Home Security Cameras
A seemingly minor coding glitch has created big problems for the popular webcam company Trendnet. A security breach in their home security cameras has allowed web users to access live feeds from some of the devices without entering in password information.
In recent weeks, internet addresses have been posted on various message board websites providing links to live footage from unsuspecting users.
In some of the most disturbing instances, unknown internet users have reportedly been able to watch live stream video of children´s bedrooms, prompting outrage from many Trendnet customers.
A spokesman for the company told the BBC that the US-based company has been aware of the problem since mid-January and that they immediately contacted all customers who had registered their devices.
Yet with only about 5 percent of the customers who purchased the faulty device registered, some are questioning why the company waited over three weeks before making a public announcement about the problem.
According to its statement, Trendnet is currently working on software updates to amend the coding error.
Zak Wood, the company´s director of global marketing, told the BBC´s Leo Kelion: “As of this week we have identified 26 [vulnerable] models. Seven of the models - the firmware has been tested and released.”
“We anticipate to have all of the revised firmware available this week. We are scrambling to discover how the code was introduced and at this point it seems like a coding oversight,” he added.
While he was unable to offer an exact number regarding how many exposed units of the camera are currently in circulation, Wood did say that it was “most likely less than 50,000” worldwide.
On January 10, the popular hacker blog ConsoleCowboys first pointed out the problem after discovering that the live video streams from the cameras were accessible to anyone who typed in the correct net address. For each camera, this was simply a combination of the user´s IP address followed by an identical series of 15 numbers.
“[A]fter setting up users with passwords the camera is more than happy to let me view its video stream by making our previous request,” wrote the author.
“There does not appear to be a way to disable access to the video stream, I can´t really believe this is something that is intended by the manufacturer.”
Moreover, the blogger also noted that a search engine called Shodan could be used search out vulnerable devices.
“Last I ran this there was something like 350 vulnerable devices that were available,” the blogger wrote almost a month ago.
However, a mere two days after his cautionary posting, lists of addresses for vulnerable devices were springing up all over the Internet, with one site alone posting some 679 web addresses associated with exposed cameras.
While Trendnet initially made no mention of the problem on its website, it did post a number of “critical” updates on its downloads page and has since stopped shipments of potentially affected products to retailers.
“We are just getting to that point to be able to succinctly convey more information to the public who would be concerned,” said Wood.
“We are planning an official release of information to the public concerning this, but in advance I can tell you that this week we are targeting to have firmware to all affected models.”
The security issue affects their SecurView line of cameras which have been on the market since April 2011. Users can find new firmware at the company´s website, and Trendnet says the remaining gaps will be fixed within the next two days.
On the Net: