One of the most obvious benefits of the Internet of Things is that we’re able to keep a better eye on stuff – for example we can set up wireless cameras to monitor our homes or business premises while we’re away, or we can use these cameras to keep an eye on the kids when they get home from school, or to keep watch over newborns sleeping in the bedroom.
But just imagine for a moment if the feed that you’re watching over the internet is totally unsecured, and that anyone can access your private feed?
This is exactly what happened to hundreds of people who set up Trendnet’s SecurView IP cameras in their homes and business premises, when a hacker found a flaw in their security and posted links to the lives feeds of almost 700 cameras. Pretty horrifying to think that any old perv could be sat their getting themselves off over your kids, right?
It’s a pretty outrageous security lapse, and for that the company was charged with “lax security” and “false representation” of its SecurView cameras for being secure and suitable for maintaining security. Now, Trendnet has just reached a settlement with the Federal Trade Commission, in which it agreed to implement better securitry to address these security risks.
While Trendnet said that its cameras were secure, in actual fact a flaw in its software meant that they were left open to being viewed, and in some cases listened to, by almost anyone over the web.
The FTC’s case against TrendNet was the first of its kind involving a company selling products for the Internet of Things.
Edith Ramirez, chairwoman of the FTC, warned that such companies would have to buck up their ideas on security:
“The Internet of things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”
The case against TrendNet was that it had marketed its cameras as being suitable for baby monitoring, home security and other security uses. However, since April 2010, the firm had failed to deliver reliable security or test its products against intrusions. In January 2012, a hacker took advantage of its weak security, discovering a flaw before posting links of around 700 live feeds from TrendNet cameras. Anyone clicking onto these links would be able to view babies sleeping in their cribs, children playing in their homes, and adults getting on with their daily business.
Its unclear to what extent anyone’s privacy may have been compromised, but upon learning of the flaw TrendNet did at least do the right thing, issuing a patch and warning its customers to update their cameras.
However the company also made a second critical mistake, transmitting customer’s security credentials in readable text over the web, failing to encyrpt them in any way. It’s not known if this led to any further security breaches.
Following the settlement, TrendNet has agreed to no longer misrepresent the security of its products, and has agreed to encrypt any customer data it transmits. The company has also been barred from misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit, while its agreed to establish a security program to address any future risks that could result in a breach of it security. In line with this, the company will submit itself to third-party security assesments every two years for the next two decades.