FTC Approves Settlement Over Leaky Surveillance Cam

The US Federal Trade Commission (FTC) announced on Friday that it has approved a settlement with TRENDnet, Inc. over lax security features in its line of SecurView cameras.

trendnet securview camera
The FTC approved a final settlement with TRENDnet, a California company that makes the SecurView cameras, which were found to expose customers to remote snooping.

The FTC said on Friday that it has approved a final order settling charges against the company, whose cameras were found to be poorly secured against external attackers, who could access them and use them to spy on the homes and private lives of hundreds of consumers.

[See also: Apple Store Favorite IZON Cameras Riddled with Holes]

The FTC complaint stems from a February, 2012 case in which independent security analysts with the web site Console Cowboys published details on how a firmware flaw allowed authentication for Internet-connected SecurView cameras to be bypassed, giving any Internet user (with the know-how) the ability to view the surveillance camera’s live feed.

The Commission first announced a settlement with TRENDnet, a Torrance, California company, in September of last year. At the time, the Commission charged the company with misrepresenting the security of its products. TRENDnet sold “faulty software that left (the cameras) open to online viewing” by anyone who knew the device’s IP address, according to the FTC. 

Under the terms of its settlement with the Commission, TRENDnet agreed to stop misrepresenting the “security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit,” as well as “the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.”

The company must also establish a comprehensive information security program to address security risks in its products, which the FTC defined as anything that “could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices.”

Approval of the final order (PDF) follows a period of public comment.

The FTC has taken the lead among government agencies in warning of the privacy and security risks inherent in many so-called “smart” devices. At a Commission-sponsored forum in November, Commissioner Maureen Ohlhausen said that The Internet of Things has “the potential to transform many fields, including home automation, medicine, and transportation.” However, “the ability to collect large amounts of information and, in some cases, to act on that information also raises important consumer privacy and data security issues.”

The FTC, she said, should use its traditional role as a consumer advocate to investigate IoT technology and provide consumers with a reliable source of information on the dangers that the technology poses. It should also use its enforcement powers to identify and punish “bad actors” that might damage the overall reputation of the IoT.