Posted by: Clarinette | February 7, 2012

Would you like a webcam in your bedrooms and bathrooms broadcasting live

Update 23/03/2012 : ‘Russian webcam hackers spy on UK homes & offices

‘Website shows footage of babies sleeping in cots, offices and even a pub.

Webcam and CCTV owners are being urged to secure access to surveillance devices after it emerged a Russian website is making the footage available for anyone to view online.’

‘Hackers post webcam, security camera, baby monitor video online’
—–

Update 4 Septembre 2013 : ‘FTC settles with Trendnet after ‘hundreds’ of home security cameras were hacked’

——-

Thanks to @TechLOG to pointing me to this article by InfoseI’sland ‘Wireless Security: Wi-Fi Hacking Burglars Get Busted
This is one example of burglary in Seattle using non sophisticated materials to hack into network Wi-Fi of ‘over a dozen businesses along with 41 burglaries’.

Should companies such as TrendNet take their customer’s security more seriously, especially when they are selling security devices?

They are alleged to have stolen at least $750,000 in funds, computer equipment and other items.

No, this is not the Big Brother program, these are not actors, just normal people wanting to be ‘secure’. I can imagine the commercial argument of vendors explaining how wonderfully the tiny little camera could help them keep an eye on their lovely little baby, giving out the statistics about the number of babies dying from apnea blah blah blah….

Yes, apnea is a serious issue and I should not undermine its importance.

Rather disturbing was the news I spread on Twitter this morning about Web surveillance cameras in homes, bedrooms and bathrooms broadcasting live online. A failure of the firmware of the lavished webcam. I asked the BBC journalist, Leo Kellion who reported the incident if he was any surprised so many cameras would have been installed in bedrooms. Obviously, he was not surprised at all. As I mentioned to the journalist, I can understand a marginal need for such surveillance for babies who suffer from apnea, or elderly people, etc… In which case, there is a need for permanent surveillance. I am less sure about the need to broadcast online. @PaulBernalUK had a technical argument for it I cannot comment.

What I wish Kellion could have answered was which other rooms were monitored, apart his mention of the bathroom and if recordings were kept of the footage. I have also Googled the product and nowhere I could find any warning or notification for buyers about the firmware security whole. According to the article, the company could not contact them as rarely buyers would register their product. ~That means the movie is still on? What have they done to notify the data breach?

Here is the BBC report! http://www.bbc.co.uk/news/technology-16919664

What do you think you would do? Do you think the security risk worth the secure surveillance?
How should the Information Commissioner ensure the users to be informed for this failure?

These technologies find their legitimate use in some specific cases such as people with dementia, elderly people or babies with high risk of apnea. Dealing with highly sensitive data, how should they comply with strict regulations?

I don’t think we can reject them in block by prevailing privacy rights to power of technology for the well being.

UPDATE:

Thank you to Leo Kelion for passing on more details on what the cameras have been broadcasting.

InformationWeekSecurity reports : “someone posting under the handle “someluser” on the Console Cowboys blog reported finding that while the Trendnet TV-IP110w–SecurView Wireless Internet Camera–he tested could be configured to require passwords, it would also accept anonymous requests. Taking what he learned, he was able to query Shodan–a search engine that can locate specific types of Internet-connected devices, including their IP addresses–and find at least 350 vulnerable devices. All of the cameras could apparently be accessed by appending the same 15-character code snippet to the camera’s IP address.

That finding was picked up last week by the Verge, which reported that following the Console Cowboys post, “links to the compromised feeds spread quickly on message boards like Reddit and 4chan,” while Pastebin posts released shortly thereafter listed links to what they said were 1,000 accessible webcams. Those links reportedly resolved to everything from children’s rooms and cat beds to parking lots and office doors.

The Trendnet research echoes a recent study conducted by HD Moore, who found that numerous videoconferencing systems are misconfigured and poorly secured, which gives attackers the ability to eavesdrop on sensitive communications. ”

Ongoing curation of links and information on that subject on my Pearltrees. (click on each pearl to access the link)


Responses

  1. The data protection questions are quite interesting here.

    Not sure whether the company is based in the EU, but are the cameras streamed through their servers/website, or direct from the owner’s device? The article states that you access them just by typing in their IP address.

    Presumably the streaming function is to allow legitimate remote access by the owner, but is the problem a flaw in the software on the device/settings or a flaw in the company’s server?

    Raises questions over whether the data controller is the company or the owner of the device, and therefore whether the Information Commissioner has any jurisdiction over the issue.

  2. Martin, thanks for sharing your views. Your reasoning on the applicability of the law is based on the location of the servers, which has been the position of the giants of the net. The EU position that I support is more of the targeted public. If the corporation sales in the EU, and in this case the material seems to have been purchased in the UK, is should be subject to the EU regulations and when the privacy of UK residents is violated, the UK Information Commissioner should protect them.

  3. TRENDnet has posted the resolution to the security breach on their IP cameras. You can check information on affected TRENDnet IP cameras at: http://www.trendnet.com/products/features.asp?featureid=52. You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras at http://www.trendnet.com/downloads/.

  4. Not just the location of TRENDnet’s servers, but also the issue that if the device streams directly (and not through TRENDnet’s servers/ a TRENDnet hosted web interface), then TRENDnet may not be a data controller – it is not responsible for processing the data – it’s just it’s software that’s being used, in the same way that say Linux or Microsoft software is used on other web servers.

    The difference with this is that the devices are likely to be used by consumers, not by organisations that should be carrying out security checks on the software they are deploying.

    I think this sort of thing may increase as more devices become web-enabled.

    Perhaps the person from TRENDnet could confirm how it works?

  5. Dear TRENDnet, thank you for your comment. However, I wish you could tell us what you have actively put in place to remedy the breach of security. How can you reply to some of the observations such as:
    why not “just remotely disable the feeds and put up a static screen informing of the exploit and how to update the firmware? That way people can’t view the feeds and the customers are more likely to be informed than by the monthly newsletter. It’s unlikely that they have cameras that they never check.”
    Could the same sort of exploit could be used to remotely update the affected cameras.
    Aside from privacy issues, any employee or ex-TRENDNET employee with the address of the places, can just watch out when the place is empty for robbery.

  6. And some more fun stories: https://www.facebook.com/boingboing/posts/10153345421736179


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: