A company that markets video cameras designed to allow consumers to monitor their homes remotely has settled Federal Trade Commission charges that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the “Internet of Things.”
The FTC’s complaint alleges that TRENDnet marketed its SecurView cameras for purposes ranging from home security to baby monitoring, and claimed in numerous product descriptions that they were “secure.” In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.
“The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet,” said FTC Chairwoman Edith Ramirez.
In its complaint, the FTC alleges that, from at least April 2010, TRENDnet failed to use reasonable security to design and test its software, including a setting for the cameras’ password requirement. As a result of this failure, hundreds of consumers’ private camera feeds were made public on the Internet.
According to the complaint, in January 2012, a hacker exploited this flaw and made it public, and, eventually, hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives. Once TRENDnet learned of this flaw, it uploaded a software patch to its website and sought to alert its customers of the need to visit the website to update their cameras.
The FTC also alleged that, from at least April 2010, TRENDnet transmitted user login credentials in clear, readable text over the Internet, even though free software was available to secure such transmissions. In addition, the FTC alleged that TRENDnet’s mobile applications for the cameras stored consumers’ login information in clear, readable text on their mobile devices.
Under the terms of its settlement with the Commission, TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit. In addition, the company is barred from misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.
In addition, TRENDnet is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.
The settlement also requires TRENDnet to notify customers about the security issues with the cameras and the availability of the software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.
The Commission vote to accept the consent agreement package containing the proposed consent order for public comment was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register shortly. The agreement will be subject to public comment for 30 days, beginning today and continuing through October 4, 2013, after which the Commission will decide whether to make the proposed consent order final.
Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments can be submitted electronically. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580. The FTC is requesting that any comment filed in paper form near the end of the public comment period be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
Related Files: In the Matter of TRENDnet, Inc.
Update: TRENDnet issued the following statement today in response to the FTC’s press release:
Upon awareness of a TRENDnet IP camera hack in 2012, TRENDnet immediately initiated every effort to respond to and resolve the hack. TRENDnet immediately released updated firmware which eliminated the published hack for related product models. Product shipments were stopped and corrective firmware updates were performed for all affected models. Substantive resources were dedicated towards the goal of bringing awareness of this hack to consumers.
For over 23 years, TRENDnet has built a reputation of offering network hardware solutions to consumers worldwide. TRENDnet has worked closely with the FTC throughout this process. The product hack and the subsequent FTC action was used as an opportunity to improve best practices which support augmented product security for existing and future products. Furthermore, a systematic security review process from an accredited third party entity helps maintain best practices into the future.
Customers with any questions related to this issue are invited to contact TRENDnet at:[email protected]