Feeds

TRENDnet home security cam flaw exposes thousands

Just when you thought you were alone in the bath

The Power of One eBook: Top reasons to choose HP BladeSystem

TRENDnet has acknowledged a flaw that meant that live feeds from its home security cameras were accessible online without needing a password.

The US-based manufacturer admitted the problem - which affects its SecurView Cameras bought after April 2010 - and began releasing firmware updates designed to plug the hole on Monday. It apologised to its customers for the snafu in a security bulletin (extract below) that provides links to the relevant security upgrades.

TRENDnet has recently gained awareness of an IP camera vulnerability common to many TRENDnet SecurView cameras. It is TRENDnet’s understanding that video from select TRENDnet IP cameras may be accessed online in real time. Upon awareness of the issue, TRENDnet initiated immediate actions to correct and publish updated firmware which resolves the vulnerability.

The problem came to light after a montage of feeds from insecure Trendnet cameras was posted on an online forum in the early part of last month. IP addresses linked to video streams were also posted on various messageboard sites at around the same time, the BBC reports.

The accessibility of live feeds to anyone on the net who sought to look is particularly worrisome as TRENDnet's home security cameras are often placed by parents in children's bedrooms and other sensitive locations. Prospective voyeurs only needed to know a user's IP address, as well as the identical sequence of 15 characters used by affected TRENDnet cameras, to gain access to a live video feed.

Online search engines might easily be used to automate the process of finding vulnerable camera feeds.

TRENDnet told the BBC that it became aware of the problem on 12 January, and since then has been developing and testing firmware fixes to resolve the coding error, which apparently was introduced two years ago. Registered users have been informed by email of the snafu already but the firm only published an advisory on Monday – after news of the problem broke. ®

Designing a Defense for Mobile Applications

More from The Register

next story
DARPA-derived secure microkernel goes open source tomorrow
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Top 8 considerations to enable and simplify mobility
In this whitepaper learn how to successfully add mobile capabilities simply and cost effectively.
Seven Steps to Software Security
Seven practical steps you can begin to take today to secure your applications and prevent the damages a successful cyber-attack can cause.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.