When you buy a shiny new network security camera, you expect that you're the only person who will see the feed. But as SecurityWatch readers know, that's not always the case. Now the Federal Trade Commission has announced a settlement with camera maker TRENDnet after consumers' video feeds wound up up online. The feds are calling it the first suit regarding the Internet of Things but maybe we should just stop buying these cameras.
The Charges
In a press release, the FTC enumerated TRENDnet's security shortcomigs that led to over 700 private video feeds being publicly accessible. According to the FTC, TRENDnet cameras did not establish any password requirements for their devices and transmitted user login information in plain text over the Internet. The company also stored login credentials in plain text on Android devices.
From reading the FTC statement, it's clear that the charges were hung on the fact that TRENDnet claimed that their products were secure. But it's clear that was far from the case, even after TRENDnet pushed out a software patch.
The statement crows that this was the first suit brought against a company marketing a product for the so-called Internet of Things, where even mundane devices are connected to the Internet. "The Internet of Things holds great promise for innovative consumer products and services," said FTC Chairwoman Edith Ramirez in the press release. "But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet."
Just how bad was the security situation? The statement describes what was available online for anyone to see. "The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives." Spooky.
We've Seen This Before
The issues with TRENDnet were first disclosed in 2010, said the FTC. But in the three years since the initial disclosure, other companies haven't managed to lock down their network security products either.
In mid-August, we brought you the story of one couple who had installed video baby monitors only to find that a hacker was using them to shout obscenities at their young daughter. The cameras in question had a security patch pushed out after launch that the victims didn't know about, probably similar to what happened with TRENDnet.
Before that, a presentation at Black Hat demonstrated how just about any camera could be taken over with minimum effort. During the demo, Craig Heffner placed a bottle of beer in front of a camera, fed the camera a static image of the scene, and then plucked the beer without being caught on video. It was a regular heist-movie maneuver.
Even more troubling was the fact that once in control of the camera, Heffner pointed out that he now had a foothold on his target's network and could do just about whatever he pleased. When asked how widespread the issue was, Heffner said that he had yet to find a camera that he couldn't hijack.
Enough Already
There's a lot to be gained by connecting more and more devices to the Internet, but it does open up new avenues of attack that can strike closer to home than ever before. DSLR cameras, networked office phones, even the camera on your laptop can be used by the determined attacker to reach out and touch your home.
Taking precautions is a good start: update your software frequently, and actually go out and check if there are updates for the devices you purchase. Create a password even when it's optional, and use a password manager like LastPass 2.0 or Dashlane 2.0 to create unique, complex passwords.
But for attacks like these, where the intimate interiors of our lives could be laid bare, I propose that we go a step further and make critical decisions about the products we purchase. If you're going to buy a computer with a built-in webcam, keep it covered when it's not in use. If you really need a security camera system, choose an old-school model that doesn't connect to the Internet.
With any luck, the FTC case will force vendors to be a little more careful before they roll out products. Or maybe they'll just slap a big ol' asterisk after the word "secure" on their packaging
No comments:
Post a Comment