The Federal Trade Commission recently came to a settlement with TRENDnet, a company that markets cameras used for home security and baby monitoring, over the security of its products. Due to a security flaw in TRENDnet’s SecurView cameras, hundreds of home video feeds were publicly exposed online by hackers. The settlement marks the first time the FTC has taken action against the marketer of a product considered part of the Internet of Things.
In an official complaint, the FTC alleged that TRENDnet marketed its SecurView cameras as “secure” despite the fact that a software security flaw made them vulnerable to spying. The agency claimed that, since at least April 2010, TRENDnet failed to use secure development practices in the design and testing of its product, particularly with regard to the device’s password settings.
In 2012, a hacker took advantage of the flaw and posted details to the Internet, which enabled other hackers to eventually post live feeds from more than 700 cameras online. Feeds showing home activities such as babies lying in cribs and young children playing were publicly accessible, representing a major privacy threat to consumers. Once TRENDnet discovered the flaw, it issued a patch and notified customers of the need to update.
Additionally, the FTC alleged that, dating back to at least April 2010, TRENDnet transmitted user login credentials in plain text over the Internet, foregoing easily available alternatives to secure this information. The company’s mobile applications for the cameras also stored user login information in clear text on their mobile devices, according to the FTC.
Cracking down on software security
Under the terms of a settlement with the FTC over the complaints, TRENDnet is prohibited from misrepresenting the security of its cameras or of the information they transmit, and it cannot misrepresent the extent to which a consumer can control the camera’s security settings. The company is also required to establish a comprehensive information security program for its devices and to obtain third-party assessments of its security programs every two years for the next 20 years. Additionally, TRENDnet must notify customers of security issues and provide free technical support in updating or uninstalling their cameras.
These sanctions serve as a significant statement about the importance of security as the so-called Internet of Things evolves. The FTC’s intervention is a message to companies that they need to take additional precautions to secure their devices as a wider variety of tools are designed to include online connectivity.
“The Internet of Things holds great promise for innovative consumer products and services,” said FTC Chairwoman Edith Ramirez. “But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”
Experts have been warning for months that the Internet of Things, while it promises to improve many consumer products and services, also represents a major security risk if not approached correctly. With resources such as the Shodan search engine at their disposal, hackers can easily find and access poorly secured Internet-facing devices. Recent threat reports have emerged for everything from security cameras to smart toilets, and such issues are likely to continue to be a problem.
By encouraging the use of secure design principles and cracking down on companies that fail to institute them, the FTC has made it clear that software development will need to evolve with the changing nature of the devices themselves. Using tools such as static analysis software, businesses can better protect themselves against the likelihood of a security breach and subsequent legal action or sanctions. Rather than getting coerced into meeting security standards, companies can build them in on their own.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.