Webcam Maker Takes FTC's Heat for Internet-of-Things Security Failure
Remember last month's hack of a baby monitor in a Texas home, which allowed an intruder to spy on and say terrible things to a sleeping infant? Though it quickly gained notoriety, that was far from the first or only such incident. In fact, any webcam or Web-connected device is vulnerable, and a spate of webcam hacks last year prompted the FTC to take action.
The United States Federal Trade Commission on Wednesday announced a settlement with Trendnet over its lax security practices. The action stemmed from privacy invasions that occurred in January 2012, when hackers posted live feeds to the Web from nearly 700 cameras made by the company.
"Right now, we're doing enforcement, as you can see from the Trendnet case," FTC spokesperson Peter Kaplan told TechNewsWorld.
The incident gave Trendnet an opportunity to improve best practices and augment product security, the company said in a statement. On becoming aware of the 2012 hacks, it released a firmware update to rectify the vulnerability, stopped product shipments, and updated all affected models. It also dedicated "substantive resources" to notify consumers.
Spokesperson Tamika Harrison declined to provide further details.
What Happened at Trendnet
Trendnet marketed its SecurView cameras for various uses ranging from home security to baby monitoring and claimed they were secure, the FTC said. However, they had faulty software that let anyone who obtained a camera's IP address look through it -- and sometimes listen as well.
Further, from at least April 2010, Trendnet transmitted user login credentials in clear, readable text over the Internet, and its mobile apps for the cameras stored consumers' login information in clear, readable text on their mobile devices, the FTC said.
It is basic security practice to secure IP addresses against hacking and to encrypt login credentials or at least password-protect them, and Trendnet's failure to do so was surprising.
"It's important for device makers to consider the entire security lifecycle, from inception to design and deployment, and [do so] continuously once their product is in the market," Philip DesAutels, vice president of technology at Xively.
The Walk of Punishment
Trendnet's settlement prohibits it from misrepresenting the security of its cameras or the security, privacy, confidentiality or integrity of the information that its devices transmit.
Further, it cannot misrepresent consumer control over the security of information the devices store, capture, access or transmit; it must notify customers about security issues with the cameras and the availability of a firmware update; and it must provide customers with free tech support for updating or uninstalling their cameras for the next two years.
Finally, Trendnet must establish a comprehensive information security program designed to address security risks that could let hackers access or use its devices; protect the security, confidentiality and integrity of information stored, captured, accessed or transmitted by its devices; and get third-party security audits biennially for the next 20 years.
Frail Grasp on the Big Picture
The hacking of Trendnet's cameras is only the tip of the iceberg as the world moves toward total connectivity in the Internet of Things, which forms the basis for IBM's Smarter Planet Initiative. The IoT will link automobiles, household appliances, mobile devices and just about everything else that accesses the Web.
Cybercriminals and pranksters may have a field day when IoT reaches critical mass.
"Invasion of privacy is only one aspect of the security challenge around the Internet of Things," Jarad Carleton, principal analyst at Frost & Sullivan, told TechNewsWorld. Cybercriminals will be able to hack Web-connected front door locks, and pranksters might turn on the air conditioning of a house in mid-winter or turn lights on or off, for instance.
The best practices for the IoT have been standard practice since the late 1990s, Kevin O'Brien, enterprise solution architect at CloudLock, told TechNewsWorld.
"Don't overconnect your systems, don't trust a locally compromised or accessible device, and do subject your code and hardware to third-party penetration testing, both in blackbox and whitebox variants," O'Brien continued.
The FTC will hold a public workshop Nov. 19 on the IoT to explore the questions of consumer privacy and security, the commission's Kaplan said.