A company that markets video cameras designed to allow consumers to monitor their homes remotely has settled Federal Trade Commission charges that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet. This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the “Internet of Things.”
The FTC’s complaint alleges that TRENDnet marketed its SecurView cameras for purposes ranging from home security to baby monitoring, and claimed in numerous product descriptions that they were “secure.” In fact, the cameras had faulty software that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address.
“The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet,” said FTC Chairwoman Edith Ramirez.
In its complaint, the FTC alleges that, from at least April 2010, TRENDnet failed to use reasonable security to design and test its software, including a setting for the cameras’ password requirement. As a result of this failure, hundreds of consumers’ private camera feeds were made public on the Internet.
“…hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives.”
According to the complaint, in January 2012, a hacker exploited this flaw and made it public, and, eventually, hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives. Once TRENDnet learned of this flaw, it uploaded a software patch to its website and sought to alert its customers of the need to visit the website to update their cameras.
The FTC also alleged that, from at least April 2010, TRENDnet transmitted user login credentials in clear, readable text over the Internet, even though free software was available to secure such transmissions. In addition, the FTC alleged that TRENDnet’s mobile applications for the cameras stored consumers’ login information in clear, readable text on their mobile devices.
Under the terms of its settlement with the Commission, TRENDnet is prohibited from misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit. In addition, the company is barred from misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.
In addition, TRENDnet is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.
The settlement also requires TRENDnet to notify customers about the security issues with the cameras and the availability of the software update to correct them, and to provide customers with free technical support for the next two years to assist them in updating or uninstalling their cameras.