Backdoor in TRENDnet IP Cameras Provide Real-Time Peeping Tom Paradise?

What happens when a console cowboy identifies a security vulnerability in Trendnet streaming IP cameras? Nearly a month later countless people have snuck in the backdoor without password authentication for a peep show. The vulnerability allows users to tune in and to spy in real-time on thousands of private lives via Trendnet home security cameras. “There does not appear to be a way to disable access to the video stream, I can’t really believe this is something that is intended by the manufacturer. Lets see who is out there :),” wrote user ‘SomeLuser’ on the Console Cowboys blog.

Since looking for these Trendnet cameras “manually is boring and tedious,” SomeLuser created a Python script that uses the Shodan search engine to find the URL of web cam video streams, regardless of if it has a password on it or not. By now there are all kinds of lists circulating on forums, pastebin and sites like 4chan, giving armchair surfers unobstructed views into offices, homes, living rooms and kids’ bedrooms.

The Verge posted numerous video cam screenshots and noted, “Since the link for each feed is the IP address of the camera appended with the code that allows you to access the stream, it’s not too hard to track down exactly who you’re looking at.”

The particular camera that the security bug was discovered in is a discontinued model that sells for around $70, though Someluser says the bug existed in additional models, meaning a wider range of camera owners are vulnerable (including, but perhaps not limited to, models TV-IP110W, TV-IP110WN, TV-IP121WN, and TV-IP410). The leaked feeds were a mix of small businesses – a store entrance or a stack of servers – and private homes. Several of these residential use cameras were aimed at a crib, suggesting that these were being used as baby monitors or even “nanny cams” to monitor childcare workers. None of the homes with cameras appeared to be particularly lavish, which suggests the cameras were not as much for protecting valuable property as they were to monitor residents or employees.

Yesterday on 2/6/12, nearly one month after the 1/10/12 vulnerability was posted on Console Cowboys, Trendnet finally issued an IP camera vulnerability notice. “TRENDnet has recently gained awareness of an IP camera vulnerability common to many TRENDnet SecurView cameras. It is TRENDnet’s understanding that video from select TRENDnet IP cameras may be accessed online in real time. Upon awareness of the issue, TRENDnet initiated immediate actions to correct and publish updated firmware which resolves the vulnerability.”

“Trendnet SecurView Cameras bought between April of 2010 to the present are believed to be vulnerable.” There are currently 11 camera models listed as affected, but the advisory states that the company will “publish all outstanding firmware within the next 48 hours.” Zak Wood, Trendnet’s director of global marketing, told the BBC, “We first became aware of this on 12 January. As of this week we have identified 26 [vulnerable] models. Seven of the models – the firmware has been tested and released. We anticipate to have all of the revised firmware available this week. We are scrambling to discover how the code was introduced and at this point it seems like a coding oversight.”

The company claims it can notify registered users, but many of its customers do not register their IP cameras. That should make voyeurs happy as this vulnerability may be around for a very long time. If you are using such a camera, then update your firmware ASAP!

Even before this latest vulnerability, there have been online communities devoted to spying on unprotected or open IP-based camera streams. Way back in 2005, Kevin Poulsen at The Register warned that a simple Google search string could reveal “nearly 1,000 installed network cameras made by Swedish-based Axis Communications, the other turns up about 500 cameras sold by Panasonic.” Ironic, is it not, that a device meant to provide security can decimate both privacy and security?

Meanwhile there is a debate underway on if police can conduct public surveillance from video cameras installed on private property. Privacy International published a list of “47 county and state police departments, 10 sheriff’s offices, 12 prosecutor’s and district/state attorney’s offices” who attend the ISS World surveillance industry conferences right “alongside Libyan and Egyptian intelligence agencies….Small town law enforcement seems to be just as fascinated by the new spy technologies as the Bahraini intelligence services.”

Like this? Here’s more posts:

• Hacking For Privacy: 2 days for amateur hacker to hack smart meter, fake readings
• 25 More Ridiculous FBI Lists: You Might Be A Terrorist If . . .
• Firesheep moment for SCADA: Hacking critical infrastructure systems now as easy as pushing a button?
• Irony: Surveillance Industry Objects to Spying Secrets & Mass Monitoring Leaks
• Privacy Advocates Sue DHS for Big Bro Fake ‘Friends’ Monitoring Social Media
• Huge 4th Amendment Win for Privacy: Supreme Court Requires Warrant for GPS Tracking
• DreamHost database hacked: Change your FTP/shell access and email passwords
• DARPA’s Spy Telescope Will Stream Real-Time Video from Any Spot on Earth
• Busted! DOJ says you might be a felon if you clicked a link or opened email
• Privacy Freaks Rejoice: Privacy to be a ‘Hot Job Skill’ in 2012
• Social Media Monitoring on Gov’t Steroids: Anything might come back to bite you
• Woz on smartphones: Wishes his iPhone could do all his Android can
• Data Privacy Day: Social media ‘private’ data is fair game for e-discovery in court
• Do you give up a reasonable expectation of privacy by carrying a cell phone?

Follow me on Twitter @PrivacyFanatic