US Govt Punishes IP Camera Manufacturer Trendnet

Author: IPVM, Published on Sep 05, 2013

IP camera manufacturer TRENDnet has settled with the FTC after the agency says the company’s advertising, combined with failure to use “reasonable security to design and test its software” resulted in unfair trade practices. Because of security flaws in more than 20 models of TRENDnet cameras, customers’ private camera feeds were available over the Internet  from devices sold to them to secure their homes, according to the FTC. In this note, we review the FTC complaint, the outcome and what the decision means for the industry. 

The Complaint Reviewed

Trendnet's camera line was, as it turns out, ironically branded "SecureView" including a logo on the packaging emphasizing:

According to the FTC complaint, a malfunction in the “Direct Video Stream Authentication,” a setting that controlled user credentials preferences, allowed live feeds to be accessed regardless of a user’s security settings. The feeds were initially made public after hackers exploited the flaw and posted links to “nearly 700 of the cameras” online. “The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives,” says the FTC. 

The FTC also says the company transmitted and stored user login credentials unencrypted, failed to implement a process monitor and assess third-party security reports (delaying the opportunity to fix flaws) and failed to do any type of security review of its software. TRENDnet released a patch shortly after the exploit. 

TRENDnet’s marketing claimed the cameras were “secure” or suitable for maintaining security, says the FTC. On its website, packaging and other advertisements, TRENDnet claimed the cameras could help protect a user’s home, family, property or business. However, because TRENDnet failed to provide security from unauthorized access to live feeds, that “caused, or [was] likely to cause, substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers,” said the FTC in the complaint. “This practice was, and is, an unfair act or practice.”  

The Decision Reviewed

On Wednesday, the FTC announced that TRENDnet settled charges that it failed to protect its users' privacy. Although TRENDnet has acknowledged that the flaw was patched, by agreeing to a consent order it is not obligated to admit or deny any of the FTC’s complaints. 

The consent order bars TRENDnet from “misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit” and “misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.” The order covers all advertisements, promotional materials, installation and user guide, packaging, and any materials disseminated by the company. 

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

It also requires the company to establish a detailed program, in writing, to address security risks and secure user information. The company must have a third-party complete periodic assessments to ensure compliance to the order every two years for the next 20 years. The report for each assessment will be delivered to the FTC. All of these documents must be made available to the FTC for inspection upon request for the next five years. 

Revenue

TRENDnet is a relatively modest player in IP camera market -- according to the complaint, the 80-person company did $5.28 million in IP cameras sales in 2011, rising to $7.4 million in 2012. Assuming a low average selling price (say $70), that would mean ~100,00 IP cameras per year, though almost all in the consumer, non VMS space. However, the potential impact this decision has on the industry is big. 

Impact on Other Manufacturers

In the last few years, the FTC has made an effort to crack down on tech manufacturers who commit privacy violations, but companies producing security technology may get more of the brunt than an app designer that reveals social media data without permission. This case should be an eye-opener for camera manufacturers who make claims about increasing safety or preventing harm. If a company is claiming their cameras can keep a person, place or thing safe, and those cameras have an issue that could negate that safety or potentially cause harm to the user, then that is an unfair trade practice, according to the FTC in this decision. Manufacturers should be more cautious about the claims they’re making and the vulnerabilities they may have. The FTC has demonstrated that they will take action.

This is all the more interesting given that the physical security industry has been historically lax in implementing information security (rampant default password use, ongoing security issues).

1 report cite this report:

Hikvision (Stops) Lying About Ezviz Security on Mar 18, 2016
Hikvision promoted the security of their directly sold Ezviz consumer line to Americans in a March 9, 2016 release. False It featured this false...
Comments (2): PRO Members only. Login. or Join.

Related Reports on Privacy

SimpliSafe Camera Tested on Mar 07, 2017
SimpliSafe is one of the most controversial companies in the industry, as they have become the symbol of the DIY threat to traditional alarm...
Hikvision Ezviz Mini 360 Plus - $80 Autotracking Camera Tested on Feb 21, 2017
Autotracking, integrated IR, local storage, full HD, cloud access: $80. That is the claim of Hikvision EZVIZ's new Mini 360 Plus. But for this...
Axis Partner Elder Care Video Analytics (Smartervision) on Dec 07, 2016
Can video analytics be used to improve the care of the elderly? Axis and a video analytics startup, Smartervision, are working together to do so....
Silicon Valley Startup Density Launches People Counting As A Service on Aug 09, 2016
A Silicon Valley startup says their people counting sensor is so accurate it's free, just pay for the data. They recently raised $4M from a top VC...
Americans Vastly Underestimate Being Recorded on CCTV on May 24, 2016
Americans vastly underestimate how often they are recorded on CCTV, by a factor of ~10x, based on a Google Consumer Survey study that IPVM recently...
Man Fights Crime With 21 Hikvision Cameras on Apr 08, 2016
Hero or lunatic? One man has taken the fight against crime into his own hands. His special power is CCTV and he is not afraid to use it. But many...
Video Surveillance Commissioning / Install Checklist on Feb 08, 2016
This 60+ point checklist helps end users, integrators and consultants verify that video surveillance installation is complete. It covers the...
Hikvision and the China Communist Party on Jan 12, 2016
Just days after getting $3 billion financing from the Chinese government, Hikvision celebrated opening their own Communist Party company committee....
Hospital Video Surveillance Guide on Jul 28, 2015
This 16-page guide explains the key uses, design factors, and players in the Hospital Surveillance market.   A global group of 50 integrators and...
School Video Surveillance Guide on May 26, 2015
This 13-page in-depth guide explains the key uses, drivers, factors and players in K-12 school video surveillance systems. A global group of 80...

Most Recent Industry Reports

Last Day - IP Networking Course May 2017 on Apr 27, 2017
Today is the last day to register for the May IP Networking Course. This is the only networking course designed specifically for video...
Hikvision EZVIZ Amazon Scam Revealed on Apr 26, 2017
Hikvision is violating US Federal Trade Commission guidelines and Amazon rules with a "Honest" Review Program scheme that provides gift cards to...
Anixter CEO Admits Price Deflation and Non-Exclusive Integrator Sales on Apr 26, 2017
Anixter's CEO has admitted to (1) price deflation impacting IP camera sales and (2) not always being 'exclusive' with security integrators. In...
Xandem Next Gen Intrusion Tested on Apr 26, 2017
Xandem's "full coverage motion tracking technology" is unlike any intrusion technology we have seen. We bought their new system and tested it...
Tri-Ed Favorability Results on Apr 25, 2017
Tri-Ed, owned by Anixter, far outranked Anixter, the lowest ranked company in our distributor favorability series. Still, Anixter's ownership did...
Eagle Eye Exec On Mountain Of Servers - VSaaS Growth Analysis on Apr 25, 2017
Eagle Eye VP of Operations, Hans Kahler, posted a picture of himself sitting on top of a shipment of new servers, as a testament to the companies...
Chinese 'Attacking Us From Every Direction', Says US FBI on Apr 25, 2017
"Chinese eating our lunch. Attacking us from every direction" said the US FBI's Deputy Director Andrew McCabe at the ASIS 2017 CSO Summit. .@FBI...
Axis Posts Strong Q1 2017 Financial Results on Apr 24, 2017
Axis posted strong numbers for Q1 2017, after having some challenges in 2016 (Q1 2016, Q3 2016). Inventory levels and overall spending show...
Axis Lowest Cost Outdoor IR Camera M2025-LE Tested on Apr 24, 2017
Axis has lagged offering low cost IR cameras while their Asian competitors have made IR standard even in their most entry level cameras. Recently,...
IPVM First Dean's List W2017 - Thomas Atkinson, Matt Hurly and Fredrik Lundqvist on Apr 24, 2017
IPVM is happy to congratulate and celebrate our first "Dean's List", the top students in our courses. For the Winter 2017 IP Networking course...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact