26 models of Trendnet webcams have been identified as vulnerable to a bug that lets anyone tap into the video stream with just an IP address. The flaw was noted a month ago and the company has been working to alert people and patch the devices. Unfortunately, the company has no way of contacting non-registered webcam owners, and so the devices may remain accessible if the users never suspect anything.
It’s a bit scary, but certainly not unprecedented. Although it’s not quite the same thing, two years ago a school was accused of spying on its students via the webcams in school-owned laptops (the district later settled). This time, it’s hackers who found their way in, and randoms on the internet who spent long hours watching the feeds.
The security flaw was posted by Console Cowboys on January 10th; the susceptible devices were easily found, as they identify themselves in such a way that their IP can simply be scraped for. The result: hundreds of feeds being watched, some mundane things like cameras watching the front door, but others were trained on, say, a young mother in some state of undress watching over her baby.
Screenshots were taken and video recorded, naturally, and while some of the people on message boards, Reddit, 4chan, and other communities may have thought it creepy and inappropriate, many more must have considered it the opportunity of a creepy lifetime. Of the hundreds of devices known to have been watched, and perhaps thousands more worldwide (Trendnet estimates the total vulnerable, not to say breached, at “most likely less than 50,000″), how many had kids playing, or someone walking out of the shower, or anything you can imagine.
And the worst part is that many of these devices will never be updated. The users can’t be alerted directly, as the webcam runs independently as a networked device on some normal webcam broadcast software. Even a “call home” automatic check for updates, if it’s enabled, would probably be dismissed by most users. “The camera is working fine, why bother? Probably just have to configure it again.”
The company that created the webcams will likely be sued, and rightly so. They are absolutely liable for software they marketed as secure and private, and which appears to have been breached by one guy, who did it on his own for kicks. A security researcher would probably conclude that the protections on the cameras were totally inadequate. After all, the breach was done after updating the camera to the most recent firmware (from 2010, as it turns out). And while they issued an update on January 30th and knew about the flaw weeks before, there was no real announcement until yesterday.
And with all this comes the question of whether in a case like this a company should be able to force-update a device. It’s the “light side” version of Amazon sucking books off your Kindle, but it’s essentially the same action.
One also begins to wonder how many cameras are being accessed by people who don’t publicize their results or share on web communities. I’ve tipped my own webcam up in what I feel is justified paranoia, and things like hard disconnects or shutters will likely become popular features once the security risks (always extant) become more well-known.
The company has put up a warning and list of affected models here. Worth checking and perhaps sharing.