US Govt Punishes IP Camera Manufacturer Trendnet

Author: IPVM, Published on Sep 05, 2013

IP camera manufacturer TRENDnet has settled with the FTC after the agency says the company’s advertising, combined with failure to use “reasonable security to design and test its software” resulted in unfair trade practices. Because of security flaws in more than 20 models of TRENDnet cameras, customers’ private camera feeds were available over the Internet from devices sold to them to secure their homes, according to the FTC. In this note, we review the FTC complaint, the outcome and what the decision means for the industry.

The Complaint Reviewed

Trendnet's camera line was, as it turns out, ironically branded "SecureView" including a logo on the packaging emphasizing:

According to the FTC complaint, a malfunction in the “Direct Video Stream Authentication,” a setting that controlled user credentials preferences, allowed live feeds to be accessed regardless of a user’s security settings. The feeds were initially made public after hackers exploited the flaw and posted links to “nearly 700 of the cameras” online. “The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives,” says the FTC.

The FTC also says the company transmitted and stored user login credentials unencrypted, failed to implement a process monitor and assess third-party security reports (delaying the opportunity to fix flaws) and failed to do any type of security review of its software. TRENDnet released a patch shortly after the exploit.

TRENDnet’s marketing claimed the cameras were “secure” or suitable for maintaining security, says the FTC. On its website, packaging and other advertisements, TRENDnet claimed the cameras could help protect a user’s home, family, property or business. However, because TRENDnet failed to provide security from unauthorized access to live feeds, that “caused, or [was] likely to cause, substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers,” said the FTC in the complaint. “This practice was, and is, an unfair act or practice.”

The Decision Reviewed

On Wednesday, the FTC announced that TRENDnet settled charges that it failed to protect its users' privacy. Although TRENDnet has acknowledged that the flaw was patched, by agreeing to a consent order it is not obligated to admit or deny any of the FTC’s complaints.

The consent order bars TRENDnet from “misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit” and “misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.” The order covers all advertisements, promotional materials, installation and user guide, packaging, and any materials disseminated by the company.

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

It also requires the company to establish a detailed program, in writing, to address security risks and secure user information. The company must have a third-party complete periodic assessments to ensure compliance to the order every two years for the next 20 years. The report for each assessment will be delivered to the FTC. All of these documents must be made available to the FTC for inspection upon request for the next five years.

Revenue

TRENDnet is a relatively modest player in IP camera market -- according to the complaint, the 80-person company did $5.28 million in IP cameras sales in 2011, rising to $7.4 million in 2012. Assuming a low average selling price (say $70), that would mean ~100,00 IP cameras per year, though almost all in the consumer, non VMS space. However, the potential impact this decision has on the industry is big.

Impact on Other Manufacturers

In the last few years, the FTC has made an effort to crack down on tech manufacturers who commit privacy violations, but companies producing security technology may get more of the brunt than an app designer that reveals social media data without permission. This case should be an eye-opener for camera manufacturers who make claims about increasing safety or preventing harm. If a company is claiming their cameras can keep a person, place or thing safe, and those cameras have an issue that could negate that safety or potentially cause harm to the user, then that is an unfair trade practice, according to the FTC in this decision. Manufacturers should be more cautious about the claims they’re making and the vulnerabilities they may have. The FTC has demonstrated that they will take action.

This is all the more interesting given that the physical security industry has been historically lax in implementing information security (rampant default password use, ongoing security issues).

1 report cite this report:

Hikvision (Stops) Lying About Ezviz Security on Mar 18, 2016
Hikvision promoted the security of their directly sold Ezviz consumer line to Americans in a March 9, 2016 release. False It featured this false...
Comments (2): PRO Members only. Login. or Join.

Related Reports on Privacy

Silicon Valley Startup Launches People Counting As A Service on Aug 09, 2016
A Silicon Valley startup says their people counting sensor is so accurate it's free, just pay for the data. They recently raised $4M from a top VC...
Americans Vastly Underestimate Being Recorded on CCTV on May 24, 2016
Americans vastly underestimate how often they are recorded on CCTV, by a factor of ~10x, based on a Google Consumer Survey study that IPVM recently...
Man Fights Crime With 21 Hikvision Cameras on Apr 08, 2016
Hero or lunatic? One man has taken the fight against crime into his own hands. His special power is CCTV and he is not afraid to use it. But many...
Surveillance Commissioning / Install Checklist on Feb 08, 2016
This 60+ point checklist helps end users, integrators and consultants verify that installation is complete. It covers the following...
Hikvision and the China Communist Party on Jan 12, 2016
Just days after getting $3 billion financing from the Chinese government, Hikvision celebrated opening their own Communist Party company committee....
Hospital Video Surveillance Guide on Jul 28, 2015
This 16-page guide explains the key uses, design factors, and players in the Hospital Surveillance market.   A global group of 50 integrators and...
School Video Surveillance Guide on May 26, 2015
This 13-page in-depth guide explains the key uses, drivers, factors and players in K-12 school video surveillance systems. A global group of 80...
German Anti-Surveillance Campaign Coming to US on Apr 15, 2014
The German Pirate Party recently created an anti surveillance campaign that focuses on the security (or lack of) that cameras provide people. The...
How Upskirt Surveillance Videos Can Be Legal on Apr 01, 2014
After a man was caught taking upskirt videos of women on a Boston metro route the state supreme court dismissed the case. In this note, we review...
Little Brother is Watching Too on Mar 20, 2014
The concept of Little Brother is a play off George Orwell’s Big Brother in the book 1984, the all seeing eye of the government watching over the...

Most Recent Industry Reports

Arecont To Release Industries' Best H.265 Support on Sep 30, 2016
Go big, or go home. That seems to be Arecont's philosophy for H.265, they say they are working on the "best" H.265 implementation in the...
Wall Street Journal Runs Report on Dahua Hack on Sep 30, 2016
The Wall Street Journal is bringing attention to the massive Dahua attack we reported on Tuesday. In an Thursday article entitled, "Hackers Infect...
Dahua USA CEO Tim Wang, Where Is Your Integrity? on Sep 29, 2016
Dahua USA CEO Tim Wang and Dahua Director of Marketing Tim Shen shared their IPVM passwords extensively, resulting in Dahua USA CEO's account...
Allegion NDE Wireless Lock Examined on Sep 29, 2016
While wireless locks are one of the hottest areas of access control, two of its biggest challenges are high cost and limited integration with...
The 'Last Chance to Save' On Hikvision Is Here on Sep 29, 2016
It is over. After at least 8 across the board price cuts in the past 10 months, including an unprecedented back to back 20% off, Hikvision has...
Camera Calculator Class and IPVM Member Orientation October 2016 on Sep 28, 2016
Members, learn how to better design video surveillance systems and get the most out of your IPVM memberships with 2 upcoming live classes. Both...
Axis 4MP Camera Tested (M3046-V) on Sep 28, 2016
Axis has brought 4MP to its camera line in the new M3046-V, the highest resolution model in their revamped M30 series. We bought and tested this...
Hiring Spree At Aimetis 6 Months After Being Acquired on Sep 28, 2016
Aimetis was acquired in April 2016, and is now expanding almost all of their departments, hiring employees from Axis and other industry...
Hikvision Chairman Tours With Chinese Government Boss on Sep 28, 2016
Two China Communist senior officials toured Europe this summer, one was Hikvision's Chairman and the other was his boss, SASAC Director. In this...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact