Trendnet security cam flaw exposes video feeds on net

Seen something interesting in the news or on the intertubes? Discuss it here.

Moderators: Hawknc, Zamfir, Prelates, Moderators General

Trendnet security cam flaw exposes video feeds on net

Postby Angua » Tue Feb 07, 2012 11:50 am UTC

Trendnet security cam flaw exposes video feeds on net

Ok, so basically a blogger who had one of these cams noticed that the password didn't actually protect anything if you had the right url, and that it was pretty easy to find the url required to view the feed. This was on the 10th of January - trendnet said they became aware on the 12th. They tried to identify susceptible models and email customers, but apparently knew they couldn't identify everyone, and didn't mention that anywhere on their website, and instead tried to quietly fix the problem (at the time of the article's writing, they still didn't mention it).

I think this is pretty scandalous - they should have warned people that this could be a problem when they became aware, instead of sweeping it under the rug and letting a bunch of people get spied on (there were websites that let you find feeds, some of them complete with a google-maps location).
“When we remember we are all mad, the mysteries disappear and life stands explained.” - Mark Twain
User avatar
Angua
Don't call her Delphine
 
Posts: 4092
Joined: Tue Sep 16, 2008 12:42 pm UTC
Location: UK/[St. Kitts and] Nevis Occasionally, I migrate to the US for a bit

Re: Trendnet security cam flaw exposes video feeds on net

Postby Chen » Tue Feb 07, 2012 1:18 pm UTC

I gotta wonder at the difference in sweeping things under the rug and not making something widely known. The BBC article is actually pretty terrible in this regard. It doesn't say which models are affected so people don't know to turn theirs off, but it informs the public that there are sites out there you can search to find addresses to spy on people. To me it seems to exacerbate the issue, especially considering they've said they're fixing it this week. Why post this article before the fix is in place and give people more time to spy on others?

Discovering it on Jan 10 and only fixing it now does seem a bit long to me, but I am not familiar with how their software works. Them contacting registered users was good, and I don't see a good method of getting this information out there without further compromising user's security. I suppose it also depends on how many people had these models. If its a large number than making it public is good since its likely a large number will stop using their device compared to the people who want to hack into the feeds. But if its a small number of people, it may be WORSE to make it public knowledge when you'll have a larger number of people who now START spying compared to those who see the news and turn their cameras off.
Chen
 
Posts: 3920
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: Trendnet security cam flaw exposes video feeds on net

Postby Angua » Tue Feb 07, 2012 1:25 pm UTC

They are priding themselves on privacy, and so should let people know when they're compromised. They knew that about 5% of people registered with email addresses - they should have found some way of making it better known that this would happen. I get that it could be a risk between telling even more people about the problem (but it looks like a large number of people knew already) who would be able to abuse that, but the fact that these people were having their privacy already invaded should come first - they should have issued something similar to a product recall to let people know that they could be affected.
“When we remember we are all mad, the mysteries disappear and life stands explained.” - Mark Twain
User avatar
Angua
Don't call her Delphine
 
Posts: 4092
Joined: Tue Sep 16, 2008 12:42 pm UTC
Location: UK/[St. Kitts and] Nevis Occasionally, I migrate to the US for a bit

Re: Trendnet security cam flaw exposes video feeds on net

Postby Chen » Tue Feb 07, 2012 2:35 pm UTC

Angua wrote:They are priding themselves on privacy, and so should let people know when they're compromised. They knew that about 5% of people registered with email addresses - they should have found some way of making it better known that this would happen. I get that it could be a risk between telling even more people about the problem (but it looks like a large number of people knew already) who would be able to abuse that, but the fact that these people were having their privacy already invaded should come first - they should have issued something similar to a product recall to let people know that they could be affected.


I'm still of the opinion that informing people publicly of the issue would have been a bad idea considering the number of affected people compared to the number of people who would decide to use that information negatively. Now, recalling the products though, that would have been a good thing to do. Wouldn't have exposed much added risk and would have protected people's privacy. Clearly companies don't like to recall things and here they clearly put their image ahead of their customers which I agree is an issue.
Chen
 
Posts: 3920
Joined: Fri Jul 25, 2008 6:53 pm UTC
Location: Montreal

Re: Trendnet security cam flaw exposes video feeds on net

Postby Iulus Cofield » Tue Feb 07, 2012 4:05 pm UTC

Hiding problems and hoping no one will notice is one of the most despicable business practices and it seems to be SOP nearly everywhere. They should have informed every customer by email and a message on their website, then disabled the web streaming of all affected models with the option for the user to reenable after clicking a box saying they are aware of the security flaw.

And that is how you actually protect consumers.
User avatar
Iulus Cofield
WINNING
 
Posts: 2931
Joined: Wed Apr 07, 2010 9:31 am UTC

Re: Trendnet security cam flaw exposes video feeds on net

Postby TheAmazingRando » Tue Feb 07, 2012 9:50 pm UTC

Hasn't this been a recurring flaw in consumer security cameras? I remember 7 or 8 years ago you could access thousands of them just by googling the proper terms.
User avatar
TheAmazingRando
 
Posts: 2305
Joined: Thu Jan 03, 2008 9:58 am UTC
Location: San Diego, CA

Re: Trendnet security cam flaw exposes video feeds on net

Postby PhoenixEnigma » Tue Feb 07, 2012 11:22 pm UTC

TheAmazingRando wrote:Hasn't this been a recurring flaw in consumer security cameras? I remember 7 or 8 years ago you could access thousands of them just by googling the proper terms.

Yeah, this is not exactly a new thing, nor a Trendnet thing. It looks like they were just unlucky enough to be the instance the mainstream media picked up on.
"Optimism, pessimism, fuck that; we're going to make it happen. As God is my bloody witness, I'm hell-bent on making it work." -Elon Musk
Shivahn wrote:I am a motherfucking sorceror.
User avatar
PhoenixEnigma
 
Posts: 2291
Joined: Fri Sep 18, 2009 3:11 am UTC
Location: Sasquatchawan, Canada

Re: Trendnet security cam flaw exposes video feeds on net

Postby Angua » Wed Feb 08, 2012 7:51 am UTC

That .... actually makes this even worse. These cameras are advertising themselves as safe and private, and this is a well-known thing that happens? Do the people buying these cameras know about it? If not, then this really should be an issue being reported about.
“When we remember we are all mad, the mysteries disappear and life stands explained.” - Mark Twain
User avatar
Angua
Don't call her Delphine
 
Posts: 4092
Joined: Tue Sep 16, 2008 12:42 pm UTC
Location: UK/[St. Kitts and] Nevis Occasionally, I migrate to the US for a bit

Re: Trendnet security cam flaw exposes video feeds on net

Postby axlan » Mon Feb 27, 2012 7:46 am UTC

TheAmazingRando wrote:Hasn't this been a recurring flaw in consumer security cameras? I remember 7 or 8 years ago you could access thousands of them just by googling the proper terms.


You still can... http://johnbokma.com/mexit/2005/01/09/security-webcam-hunting.html . These are more cases where people intentionally made their cam public, or didn't properly set up the privacy settings.
axlan
 
Posts: 6
Joined: Mon Feb 27, 2012 4:24 am UTC


Return to News & Articles

Who is online

Users browsing this forum: Goldhawk, Ubik and 8 guests