Users of Trendnet home surveillance cameras have been warned about a serious security hole that makes it possible for Internet users to view their private video feeds in real time.
The alert was first discovered a month ago by the owner of the TV-IP110w wireless IP security camera, who noticed while exploring the camera’s firmware that it was possible to access its video feed by entering its IP address with a pointer to a normally hidden sub-directory.
This turned out to be true even when the camera was set up with password access enabled. Disturbingly, the researcher was able to use the same routine to turn up almost 10,000 possible Internet-connected cameras running the same firmware by querying the port-scanning search engine, Shodan.
Using Shodan with an automated Python script to search for vulnerable feeds turned up 350 cameras. Images turned up included video of doorways, precisely the sort of scenes one might expect of a camera whose primary task is building surveillance for small businesses and home owners.
However, other feeds appear to be pointed at internal rooms, including bedrooms, making it possible that a camera bought to secure properties might now be exposing their owners instead.
Trendnet said that as many as 25 models could be affected by the flaw in addition to the TV-IP110w model tested, and has issued a software update for most of the models affected.
The problem is that the company can only directly alert registered users, a fraction of the total number of customers that buy its IP cameras, making it likely that many will be exposed to the flaw for some time.
IP cameras make attractive targets for hacking because they are designed to be accessed across the Internet. That said, the more general vulnerability of cameras and microphone devices is a well-established genre that has generated several scares in recent times, including one in which a Flash Player vulnerability was found to allow simple webcams of the type found in laptops to be turned on remotely.
In 2011, a US man was sentenced to six years for using malware to spy on Internet users by activating their webcams.
Trendnet has posted updates for named models on its website.