TRENDnet home security camera flaw exposes thousands TRENDnet has acknowledged a flaw that meant that live feeds from its home security cameras were accessible online without needing a password. The US-based manufacturer admitted the problem - which affects its SecurView Cameras bought after April 2010 - and began releasing firmware updates designed to plug the hole on Monday. …
I'm not going to post the full exploit, since El Reg didn't, and perhaps they don't want to be involved, but I thought the anony/ directory in the file path was very curious. That makes it look a bit like an intentional back door to me. Unless "annoy" has some technical meaning the IP cam business I'm not familiar with...
/anony/ - It's for direct stream authentication so users can participate in the camera stream without user credentials. If Disabled, anyone can access without username/password. If Enabled, users will be prompted for username/password. This is why /anony/ exists specifically for these models. I have found other manufactures with similar coding flaws and similar back doors. The only difference is that Trendnet fessed up to the bug and honestly addressed the issue. In my experience working with embedded systems I've found that most backdoors are just lazy coding errors and not intentional government plots to spy on civilians. Just my 2 cents :)
This post has been deleted by its author
Will this only work on cameras outside a firewall, or are these cameras punching a hole through?
If the latter: BAD TRENDNET! NO COOKIE!
If the former: BAD OWNER! NO COOKIE! BAAAD!
If you put an IP based camera outside a proper firewall, you deserve to have everybody watching your stupidity.
That was my immediate reaction too.
But many of the folks installing these will WANT to be able to access them when not at home - it's not a bug it's a feature????
[I've had this kind of setup at home for many years following too many burglaries - but NOT using commercial IP cameras, (a) because of price (b) because you don't know what they're up to. A video stream and a capture device in a real computer has some advantages if you're a paranoid geek on a low budget.
Second of all, you configure the firewall so that authorized access is allowed, e.g. via a protocol with strong authentication like SSH.
Although since you are only brave when hiding behind anonymity and the Internet, I shouldn't really expect much of you. Go back to joystick, wanker.
Second of all, if you had bothered to read the fecking article, you would see that if you correctly configured your firewall, and correctly configured the device to allow authorised access it can still still be comprised and accessed. I know The Register cleverly hid this fact in the VERY FIRST FUCKING SENTENCE:
"TRENDnet has acknowledged a flaw that meant that live feeds from its home security cameras were accessible online without needing a password"
Fecking Moron
Oxford dictionary lists "select" as
"(of a group of people or things) carefully chosen from a larger number as being the best or most valuable"
So the offer promotion usage makes more sense. Except they usually only "select" the stuff that's not selling at the regular price.
Then again, the TrendNet cameras monitoring the pillow fight room in the cheerleaders' dorms might be more "select" than the ones monitoring the landfill...
This post has been deleted by its author
slow news day? None of their stuff works right, or can be broken by the slightest sneeze. When you're using bottom rung kit, don't expect it to be really capable.
I gave up on TRENDnet when I went through 3 KVMs inside one week. I went from a hard switch that I've had since before TRENDnet was even around to a soft switch. Worked like a champ. Then bought a softswitch with TRENDnet's name on it to get extra systems connected up. well, the old Tandy 1000 PS/2 keyboard port was just too much for the TRENDnet switch as the switch went into insane rapid fire mode after that. 2 more switches later and I think I had it figured out. TRENDnet uses absolutely no margin for error in any kit connected to theirs. I have a theory that the old PS/2 port on the Tandy puts out a little more voltage than spec. I've never had any issues with any keyboards connected to it, so it's not enough to right home about, but TRENDnet's kit couldn't handle it. I have not tested this theory since everything else has worked like a champ since I binned the TRENDnet kit. I chalk it up to a company that has set themselves up as low price with lower cost (read: cheap) parts and are not worth my time and frustration. TRENDnet is an industry example of FAIL. They might do well to know about that electrical component called a resistor.
I hope all these people with cameras are complying with the law and have the obligatory CCTV warning notices posted in the house so that burglars and other visitors (the milkman?) know where to call to view the footage and have any recordings erased if those recordings are considered inappropriate.
TRENDnet has posted the resolution to the security breach on their IP cameras. You can check information on affected TRENDnet IP cameras at: http://www.trendnet.com/products/features.asp?featureid=52. You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras at http://www.trendnet.com/downloads/.
My question is: Why
Would you like a webcam in your bedrooms and bathrooms broadcasting live?!! The answer should measure the balance of risk / security. The burden on the company is the keep the device secure, to advise buyers and to notify data breach. http://clarinettesblog.wordpress.com/2012/02/07/would-you-like-a-webcam-in-your-bedrooms-and-bathrooms-broadcating-live/
AC, obviously.
Quick background: I work in major DVR/NVR company which provides video management, CMS and general Orwellian monstrosity solutions to many corporations. Not an integrator that puts together solutions from off the shelf parts, but one of the vendors. My job is lead integration engineer, I ensure that all third party IP POS and IP camera solutions (all of which speak different protocols, thanks total lack of industry standards) can speak to our video management systems, and write the glue code to make it happen. I also do coding on the NVR system itself.
Now, given what I've said above, it's fair to say I'm an expert on camera offerings. I have complete lines from several vendors cluttering my storage area and have seen hundreds upon hundreds of different models of camera. I also routinely VPN into sites and see what the real world multi-million dollar camera installs look like.
What you're seeing here is STANDARD PRACTICE. Offering a motion jpeg video stream over HTTP is a basic feature that all cameras have for quick and dirty integration. Very few of them password this stream, because it's inconvenient. The few that do use only clear-text HTTP authentication anyway. Also, in practice maybe one in a thousand sites, if that, changes the default password. Don't know the default password? That's fine, industry websites publish master lists, just Google. It's simply how it's done in the industry.
The only reason TRENDnet is getting burned is because they're a consumer outfit, and bizarrely consumers care way, way more about network security than enterprise users in the physical security segment.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
