Modernizing Authentication — What It Takes to Transform Secure Access
The U.S. Federal Trade Commission (FTC) recently announced that TRENDnet has settled charges that its "lax security practices" had exposed hundreds of consumers' private lives to public viewing online (h/t SC Magazine).
According to the FTC's complaint, TRENDnet's SecurView cameras were marketed for purposes ranging from home security to baby monitoring with the promise that they were "secure," but the cameras had faulty software that left them open to online viewing and in some cases listening by anyone with the cameras' Internet address.
The complaint alleges that, at least from April 2010 onwards, TRENDnet failed to use reasonable security to design and test its software, and user login credentials were transmitted in clear text over the Internet. As a result, hackers were able to post links to the live feeds of almost 700 cameras, which showed babies sleeping in their cribs, children playing, and adults going about their lives.
Under the terms of the settlement, TrendNET is required to establish a comprehensive information security program, and to obtain third-party assessments of that program every two years for the next 20 years. The company is also required to notify customers about the security issues with its cameras, and to provide free technical support for the next two years to help customers update or uninstall their cameras.
TRENDnet is also barred from misrepresenting the security of its cameras in the future.
"The Internet of Things holds great promise for innovative consumer products and services," FTC Chairwoman Edith Ramirez said in a statement. "But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet."
In response, TRENDnet stated, "For over 23 years, TRENDnet has built a reputation of offering network hardware solutions to consumers worldwide. TRENDnet has worked closely with the FTC throughout this process. The product hack and the subsequent FTC action was used as an opportunity to improve best practices which support augmented product security for existing and future products. Furthermore, a systematic security review process from an accredited third party entity helps maintain best practices into the future."