Wednesday, February 8, 2012

When security cameras . . . aren't!


It seems that many thousands of purchasers of security cameras made by one particular company weren't nearly as secure as they thought. The Verge reports:

A few weeks ago, a blog called Console Cowboys exposed a security vulnerability in some models of Trendnet home security cameras. Following the instructions on the site, thousands of streaming personal IP cameras can be accessed. Links to the compromised feeds spread quickly on message boards like Reddit and 4chan, where the adolescent quest for the surreptitiously-viewed nipple kicked into high gear.

Of course, nudity was found: a woman taking off her pajamas in her bedroom, a young mother standing next to a baby crib at night. Screenshots were made and posted to 4chan for teenage boys to ogle. These cameras were purchased by people who believed they would be making their home or workplace more secure. Instead, they became victims of an intimate and personal invasion of privacy.

. . .

While many IP cameras have open feeds that are semi-public and don’t require passwords, a close look at the Trendnet firmware revealed code that can be appended to the IP address of the camera, creating a URL of the camera’s feed that bypasses password authentication. The author of the Console Cowboys post, Someluser, was surprised it even worked:

I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)

Other available cameras were found by searching shodanhq.com, a semi-shady site that catalogs open devices. Some of the more interesting camera feeds included a laundromat in Los Angeles, a bar and grill in Virginia, living rooms in Korea and Hong Kong, offices in Moscow, a Newark man watching the football game in a Giants jersey, and the inside of a turtle cage.

Console Cowboys posted its instructions on accessing the cameras on January 10, and over the next two days a list of links to over 1,000 camera feeds appeared on Pastebin, a free text storage site popular among programmers and 4channers for storing and sharing snippets of code, Occupy movement screeds, the anti-Scientology manifestos of Anonymous, and the assorted Dane Cook joke. In an email, Someluser said that he was not responsible for creating the long list of links or posting them to other sites. "I would imagine these lists were created by readers and other individuals who have since created script enhancements on the original findings and code....It is hard to say how it ended up on 4chan, it is not a site I frequent."

The Pastebin link list appeared on Reddit’s security forum within a day, and on 4chan’s /b/ board sometime that week. Currently, the list has had over 87,000 hits. Each camera feed may have been viewed by hundreds or thousands of people.


There's more at the link, including screen-capture images taken by many of the 'hacked' cameras.

Trendnet has released a firmware fix for the affected cameras, but that's unlikely to reach all of them. Many of their owners and/or users aren't the type of people who frequent technology Web sites, or are likely to become aware of the problem through news media reports (which are - at least so far - conspicuous by their absence).

Moral of the story: don't trust your security to devices that may not be secure themselves!

Peter

2 comments:

skreidle said...

On a tangent, here's a great site full of legitimate public webcams. :) Earthcam.

bobn said...

In the categories I've checked, Trendnet is often the very cheapest.

It turns out that there is a reason.

I bought one of their access-points - no more Trendnet for me.