FTC Approves Settlement for TRENDnet Breach
(CN) - The Federal Trade Commission on Friday approved a final order settling charges that TRENDnet's lax security allowed hackers to view private video feeds from supposedly secure network cameras.
TRENDnet sells Internet Protocol, or IP, cameras to small and midsize businesses, many advertised under the trade name SecurView. Its cameras can be used to monitor "babies at home, patients in the hospital, offices and banks, and more," according to the company.
Users typically need login credentials to access the live feeds, but the FTC said hackers "could and did exploit [a] vulnerability" that put users' private lives on display to complete strangers.
One hacker discovered that private feeds could be accessed without a password if the viewer simply searched the web for a camera's IP address, according to the FTC's complaint. That hacker exposed the breach online, and others posted links to the live feeds of nearly 700 IP cameras, the agency said.
"Among other things, these compromised live feeds displayed private areas of users' homes and allowed the unauthorized surveillance of infants sleeping in their cribs, young children playing, and adults engaging in typical daily activities," the complaint states.
TRENDnet first heard about the breach in January 2012, after a customer alarmed by the headlines contacted tech support. Though the company later issued software eliminating the vulnerability, the FTC says its "failures to provide reasonable and appropriate security" led to the breach.
TRENDnet agreed to the settlement without admitting or denying the charges. The order requires TRENDnet to implement a comprehensive security program designed to address security risks. It must also allow independent parties to assess and report on its security program every two years for the next 20 years.
The company must also notify customers about the security issues with 20 of its camera models and the software update to fix them, and provide free technical support for the next two years.
The FTC voted 4-0 to approve the final order.