Bug in Trendnet webcams exposes them to public viewing
A serious vulnerability in home security cameras made by U.S.-based Trendnet potentially exposed thousands of users to voyeurs and hackers who could watch the live video feed from the cameras over the Internet--without a password.
The flaw was first uncovered in January by a hacker going by the handle of "someLuser," who dug into the firmware of a SecurView Wireless Internet Camera from Trendnet. While unpacking the underlying operating system, he stumbled upon a URL that can be used to log in anonymously. The hacker outlined every step of his discovery, and even customized a script that can be used to query the Shodan search engine to locate vulnerable Trendnet cameras.
The serious bug was attributed to a "coding oversight" by a Trendnet official, and the company has acknowledged that up to 22 different models were affected. "Upon awareness of the issue, Trendnet initiated immediate actions to correct and publish updated firmware which resolves the vulnerability," says the company in a statement.
Separately, Zak Wood, Trendnet's director of global marketing, told the BBC earlier this week that the company is scrambling to discover how the code was introduced. A quick check shows that the company has placed a prominent notice on its website that leads directly to a download page with links to the updated firmware.
Trendnet says it plans to notify the 5 percent of affected users who have registered their webcams with the company, though what happens to the 95 percent of affected users remains a mystery.