Camera feeds for home security and baby monitoring were hacked, despite claims that the products provided “secured viewing” and were marketed with the word “Security” next to a padlock, according to a complaint filed by the FTC against TRENDnet.
The suit marks the agency’s first action in the “Internet of Things” ecosystem, an area on which Chairwoman Edith Ramirez said earlier this year she planned to focus. The term refers to an everyday product with interconnectivity to the Internet and other mobile devices, the agency explained.
“The Internet of Things holds great promise for innovative consumer products and services,” Ramirez said in a statement about the case. “But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”
According to the complaint, TRENDnet marketed its SecurView cameras as providing secure viewing for personal use (including home security and baby monitoring) but faulty software left the camera feeds vulnerable to hacking. Accordingly, anyone with the Internet address for the camera could watch or listen.
The security flaws were present since at least April 2010, a problem compounded by the fact that TRENDnet failed to test its software for items such as a password setting for the cameras. In addition, the defendant failed to secure online communications with customers or provide login credentials in “clear, readable text” and failed to store information in a secure fashion.
The FTC estimated that the feeds of almost 700 consumers’ cameras were aired online after a hacker accessed the connections and posted the links. As a result, videos of babies sleeping in their cribs and families engaged in their daily lives were streamed for all to see.
California-based TRENDnet provided a security patch to its Web site once it learned of the hacking. Under the terms of the proposed consent decree, the company is now required to notify all customers of the security problems and provide free technical support for a two-year period to either update their software or uninstall the camera.
In addition, the company is prohibited from making future false representations about the security, privacy, confidentiality, or integrity of its software and is required to establish a comprehensive information security program, including third-party assessments of its security biannually for 20 years.
To read the complaint and proposed consent decree in In the Matter of TRENDnet, click here.
Why it matters: In addition to making good on Ramirez’s promise to take action in the Internet of Things realm, the settlement reinforces the agency’s general focus on data security by bringing actions against companies that fail to live up to what the agency determines are reasonable security standards. Advertisers should ensure that their privacy and security activities comply with their promises, a job that includes keeping eyes and ears open for potential problems. In the complaint against TRENDnet, the FTC alleged that one of the defendant’s failures was that it did not “actively monitor security vulnerability reports from third-party researchers, academics, or other members of the public, despite the existence of free tools to conduct such monitoring, thereby delaying the opportunity to correct discovered vulnerabilities or respond to incidents.”