TRENDnet has acknowledged a flaw that meant that live feeds from its home security cameras were accessible online without needing a password. The US-based manufacturer admitted the problem - which affects its SecurView Cameras bought after April 2010 - and began releasing firmware updates designed to plug the hole on Monday. It …
I'm not going to post the full exploit, since El Reg didn't, and perhaps they don't want to be involved, but I thought the anony/ directory in the file path was very curious. That makes it look a bit like an intentional back door to me. Unless "annoy" has some technical meaning the IP cam business I'm not familiar with...
/anony/ - It's for direct stream authentication so users can participate in the camera stream without user credentials. If Disabled, anyone can access without username/password. If Enabled, users will be prompted for username/password. This is why /anony/ exists specifically for these models. I have found other manufactures with similar coding flaws and similar back doors. The only difference is that Trendnet fessed up to the bug and honestly addressed the issue. In my experience working with embedded systems I've found that most backdoors are just lazy coding errors and not intentional government plots to spy on civilians. Just my 2 cents :)
"various messageboard sites"
Going to be around for ages...
I actually saw lots of posts of IPs on pastebin and zero on 4chan.
"TRENDnet told the BBC that it became aware of the problem on 12 January"
If it takes them this long, plus longer, to get a patch ready then how long do you think it'll be until the average Joe actually patches up? I don't think the box has an autoupdate feature. This exploit will be around for a long time...
To further this problem, most peoples login creds will be the default admin/password no doubt...
Will this only work on cameras outside a firewall, or are these cameras punching a hole through?
If the latter: BAD TRENDNET! NO COOKIE!
If the former: BAD OWNER! NO COOKIE! BAAAD!
If you put an IP based camera outside a proper firewall, you deserve to have everybody watching your stupidity.
That was my immediate reaction too.
But many of the folks installing these will WANT to be able to access them when not at home - it's not a bug it's a feature????
[I've had this kind of setup at home for many years following too many burglaries - but NOT using commercial IP cameras, (a) because of price (b) because you don't know what they're up to. A video stream and a capture device in a real computer has some advantages if you're a paranoid geek on a low budget.
So what you are saying then is if I install one of these at home so I can check my house when at work then I am doing something wrong?
First of all, it's spelled "fucking"
Second of all, you configure the firewall so that authorized access is allowed, e.g. via a protocol with strong authentication like SSH.
Although since you are only brave when hiding behind anonymity and the Internet, I shouldn't really expect much of you. Go back to joystick, wanker.
First of all it is spelt "Fecking"
Second of all, if you had bothered to read the fecking article, you would see that if you correctly configured your firewall, and correctly configured the device to allow authorised access it can still still be comprised and accessed. I know The Register cleverly hid this fact in the VERY FIRST FUCKING SENTENCE:
"TRENDnet has acknowledged a flaw that meant that live feeds from its home security cameras were accessible online without needing a password"
It is spelled "Phuquinge" in Proper Englishe As She Is Spoke
PervCams go mainstream!
News at six! Pics at eleven!
This just ahead of ...
... Facebook's acquisition of TrendNet
@FatsBrannigan - good one
COTD* award candidate?
*Comment Of The Day
I love the line...
...*select* TRENDnet IP cameras may be accessed....
I thought, in the US, the word 'select' was also used to promote an offer.
"20% discount on select furniture".
- Two nations sparated by a common language - springs to mind.
Oxford dictionary lists "select" as
"(of a group of people or things) carefully chosen from a larger number as being the best or most valuable"
So the offer promotion usage makes more sense. Except they usually only "select" the stuff that's not selling at the regular price.
Then again, the TrendNet cameras monitoring the pillow fight room in the cheerleaders' dorms might be more "select" than the ones monitoring the landfill...
a smaller subset selected from a larger set.
In both contexts the word means the same.
Some but not all TRENDnet IP cameras
Some but not all furniture
El Reg writers has a security camera...
... in the bathroom?!
It's not about being able to view across the Internet...
People seem to not be qutie understanding this, so a quick explanation:
The camera DOES have a FEATURE to view the camera across the Internet. It requires you to authenticate, and if correct you may view.
The problem here is that you can also go to http://<ip><port>/anon/restoflink where you can view the camera feed WITHOUT authentication.
Hope this clears things up a bit.
Thanks for clearing that up. At first I thought it was similiar to the "intitle: axis 2400 video server" google search that reveals lots of cams that users have just hooked up to the internet and never secured, great fun.
TRENDnet has problem with kit
slow news day? None of their stuff works right, or can be broken by the slightest sneeze. When you're using bottom rung kit, don't expect it to be really capable.
I gave up on TRENDnet when I went through 3 KVMs inside one week. I went from a hard switch that I've had since before TRENDnet was even around to a soft switch. Worked like a champ. Then bought a softswitch with TRENDnet's name on it to get extra systems connected up. well, the old Tandy 1000 PS/2 keyboard port was just too much for the TRENDnet switch as the switch went into insane rapid fire mode after that. 2 more switches later and I think I had it figured out. TRENDnet uses absolutely no margin for error in any kit connected to theirs. I have a theory that the old PS/2 port on the Tandy puts out a little more voltage than spec. I've never had any issues with any keyboards connected to it, so it's not enough to right home about, but TRENDnet's kit couldn't handle it. I have not tested this theory since everything else has worked like a champ since I binned the TRENDnet kit. I chalk it up to a company that has set themselves up as low price with lower cost (read: cheap) parts and are not worth my time and frustration. TRENDnet is an industry example of FAIL. They might do well to know about that electrical component called a resistor.
I think shipping cameras with faulty/backdoored firmware that causes people to unknowingly broadcast their living room to the whole internet is a fail on slightly different level than making keyboards that can't handle excess voltage.
The clothes folding lady has finished and gone away.... But that's OK, there's a black and white movie about a baby that suddenly disappeared from it's cot (crib?) leaving only it's dummy (pacifier?).
The BBC boobed big time by inviting people to commit offences under the Protection of Children Act. See www.annaraccoon.com for details.
Don't forget the warning notices
I hope all these people with cameras are complying with the law and have the obligatory CCTV warning notices posted in the house so that burglars and other visitors (the milkman?) know where to call to view the footage and have any recordings erased if those recordings are considered inappropriate.
TRENDnet has posted the resolution to the security breach on their IP cameras. You can check information on affected TRENDnet IP cameras at: http://www.trendnet.com/products/features.asp?featureid=52. You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras at http://www.trendnet.com/downloads/.
My question is: Why
Would you like a webcam in your bedrooms and bathrooms broadcasting live?!! The answer should measure the balance of risk / security. The burden on the company is the keep the device secure, to advise buyers and to notify data breach. http://clarinettesblog.wordpress.com/2012/02/07/would-you-like-a-webcam-in-your-bedrooms-and-bathrooms-broadcating-live/
Finally, a topic where I'm an "insider" as it were...
Quick background: I work in major DVR/NVR company which provides video management, CMS and general Orwellian monstrosity solutions to many corporations. Not an integrator that puts together solutions from off the shelf parts, but one of the vendors. My job is lead integration engineer, I ensure that all third party IP POS and IP camera solutions (all of which speak different protocols, thanks total lack of industry standards) can speak to our video management systems, and write the glue code to make it happen. I also do coding on the NVR system itself.
Now, given what I've said above, it's fair to say I'm an expert on camera offerings. I have complete lines from several vendors cluttering my storage area and have seen hundreds upon hundreds of different models of camera. I also routinely VPN into sites and see what the real world multi-million dollar camera installs look like.
What you're seeing here is STANDARD PRACTICE. Offering a motion jpeg video stream over HTTP is a basic feature that all cameras have for quick and dirty integration. Very few of them password this stream, because it's inconvenient. The few that do use only clear-text HTTP authentication anyway. Also, in practice maybe one in a thousand sites, if that, changes the default password. Don't know the default password? That's fine, industry websites publish master lists, just Google. It's simply how it's done in the industry.
The only reason TRENDnet is getting burned is because they're a consumer outfit, and bizarrely consumers care way, way more about network security than enterprise users in the physical security segment.