US Govt Punishes IP Camera Manufacturer Trendnet

Author: IPVM, Published on Sep 05, 2013

IP camera manufacturer TRENDnet has settled with the FTC after the agency says the company’s advertising, combined with failure to use “reasonable security to design and test its software” resulted in unfair trade practices. Because of security flaws in more than 20 models of TRENDnet cameras, customers’ private camera feeds were available over the Internet  from devices sold to them to secure their homes, according to the FTC. In this note, we review the FTC complaint, the outcome and what the decision means for the industry. 

The Complaint Reviewed

Trendnet's camera line was, as it turns out, ironically branded "SecureView" including a logo on the packaging emphasizing:

According to the FTC complaint, a malfunction in the “Direct Video Stream Authentication,” a setting that controlled user credentials preferences, allowed live feeds to be accessed regardless of a user’s security settings. The feeds were initially made public after hackers exploited the flaw and posted links to “nearly 700 of the cameras” online. “The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives,” says the FTC. 

The FTC also says the company transmitted and stored user login credentials unencrypted, failed to implement a process monitor and assess third-party security reports (delaying the opportunity to fix flaws) and failed to do any type of security review of its software. TRENDnet released a patch shortly after the exploit. 

TRENDnet’s marketing claimed the cameras were “secure” or suitable for maintaining security, says the FTC. On its website, packaging and other advertisements, TRENDnet claimed the cameras could help protect a user’s home, family, property or business. However, because TRENDnet failed to provide security from unauthorized access to live feeds, that “caused, or [was] likely to cause, substantial injury to consumers that is not offset by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers,” said the FTC in the complaint. “This practice was, and is, an unfair act or practice.”  

The Decision Reviewed

On Wednesday, the FTC announced that TRENDnet settled charges that it failed to protect its users' privacy. Although TRENDnet has acknowledged that the flaw was patched, by agreeing to a consent order it is not obligated to admit or deny any of the FTC’s complaints. 

The consent order bars TRENDnet from “misrepresenting the security of its cameras or the security, privacy, confidentiality, or integrity of the information that its cameras or other devices transmit” and “misrepresenting the extent to which a consumer can control the security of information the cameras or other devices store, capture, access, or transmit.” The order covers all advertisements, promotional materials, installation and user guide, packaging, and any materials disseminated by the company. 

Get Video Surveillance News In Your Inbox
Get Video Surveillance News In Your Inbox

It also requires the company to establish a detailed program, in writing, to address security risks and secure user information. The company must have a third-party complete periodic assessments to ensure compliance to the order every two years for the next 20 years. The report for each assessment will be delivered to the FTC. All of these documents must be made available to the FTC for inspection upon request for the next five years. 

Revenue

TRENDnet is a relatively modest player in IP camera market -- according to the complaint, the 80-person company did $5.28 million in IP cameras sales in 2011, rising to $7.4 million in 2012. Assuming a low average selling price (say $70), that would mean ~100,00 IP cameras per year, though almost all in the consumer, non VMS space. However, the potential impact this decision has on the industry is big. 

Impact on Other Manufacturers

In the last few years, the FTC has made an effort to crack down on tech manufacturers who commit privacy violations, but companies producing security technology may get more of the brunt than an app designer that reveals social media data without permission. This case should be an eye-opener for camera manufacturers who make claims about increasing safety or preventing harm. If a company is claiming their cameras can keep a person, place or thing safe, and those cameras have an issue that could negate that safety or potentially cause harm to the user, then that is an unfair trade practice, according to the FTC in this decision. Manufacturers should be more cautious about the claims they’re making and the vulnerabilities they may have. The FTC has demonstrated that they will take action.

This is all the more interesting given that the physical security industry has been historically lax in implementing information security (rampant default password use, ongoing security issues).

1 report cite this report:

Hikvision (Stops) Lying About Ezviz Security on Mar 18, 2016
Hikvision promoted the security of their directly sold Ezviz consumer line to Americans in a March 9, 2016 release. False It featured this false...
Comments (1) : PRO Members only. Login. or Join.

Related Reports on Privacy

Amazon's "Dangerous New Face Recognition Technology" Says ACLU on May 23, 2018
The ACLU has caused a stir, with a new report Amazon Teams Up With Law Enforcement to Deploy Dangerous New Face Recognition Technology,...
Genetec Clearance Face Detection / Redaction Test on May 14, 2018
Privacy regulations such as GDPR (EU Public Privacy), HIPAA (US Medical Privacy), and FERPA (US Student Privacy) are driving video surveillance...
Global Real-Time Video Surveillance - EarthNow on Apr 20, 2018
A new company, EarthNow, with backing from Bill Gates, Airbus and more, is claiming that: Users will be able to see places on Earth with a delay...
GDPR For Video Surveillance Guide on Apr 12, 2018
The European Union’s General Data Protection Regulation (GDPR) comes into force on May 25, but there is much confusion and no clear guidelines on...
VMS New Developments Spring 2018 (Avigilon, Exacqvision, Genetec, Hikvision, Milestone, Network Optix) on Apr 04, 2018
What's new with VMS software? In this report, we examine new features and releases for Spring 2018 to track different areas of potential...
Audio Usage In Video Surveillance Statistics on Mar 28, 2018
Audio is more widely available and easier to use than ever, with many IP cameras building audio in and often making integration as simple as...
Understanding The 20+ Lock Functions on Mar 27, 2018
While locks can look the same, they may operate in significantly different ways. To make understanding them simpler, widely adopted industry...
Video Privacy Mask Tutorial on Feb 27, 2018
Privacy has historically been hotly debated in the surveillance industry, especially in public surveillance systems where cameras may be located in...
Chinese Government Attacks Western Reports on Jan 03, 2018
The Chinese government is angry at the BBC and WSJ's reporting on Chinese video surveillance (see BBC Features Dahua and WSJ Investigates China's...
$800 Axis Thermal Camera Examined on Jan 02, 2018
Axis is releasing two of the lowest cost thermal IP cameras ever. But will low cost be enough to spur adoption? In this note, we examine the 2 new...

Most Recent Industry Reports

VMS Server Sizing on May 25, 2018
Specifying the right sized PC/server for VMS software is one of the most important yet difficult decisions in IP video surveillance. In the past...
China: Foreign Video Surveillance Is Security Risk on May 25, 2018
The Chinese government has long acknowledged that foreign video surveillance is a 'risk to national security' and has increasingly and almost...
US House Passes Bill Banning Gov Use of Dahua and Hikvision on May 24, 2018
Today, the US House of Representatives passed H.R. 5515, a bill that includes a ban on the US government's use of Dahua and Hikvision. This follows...
Hanwha Wisenet X Analytics and VMD Test on May 24, 2018
Continuing our updated testing of camera analytics, we tested Hanwha's Wisenet X analytics for over two weeks in multiple scenes, indoors and out,...
Ambitious Mobile Access Startup: Openpath on May 24, 2018
This team sold their last startup for hundreds of millions of dollars, now they have started Openpath to become a rare access control small...
Amazon's "Dangerous New Face Recognition Technology" Says ACLU on May 23, 2018
The ACLU has caused a stir, with a new report Amazon Teams Up With Law Enforcement to Deploy Dangerous New Face Recognition Technology,...
Software Only VMS vs NVR Appliances on May 23, 2018
Should you buy your own PC/server and load VMS software on it or get a turnkey appliance (both hardware and software, e.g., NVR, Hybrid DVR) from a...
Buy Arecont: Top Bid $10 Million Cash on May 22, 2018
Last year, Arecont had a deal for a purchase price of $170 million (see Failed Arecont China Acquisition). This year, Arecont has a deal for a...
Installing Box Cameras Indoors Tutorial on May 22, 2018
This tutorial starts our physical installation for video surveillance series, starting with Box Cameras, one of the oldest and most basic types....
The Hikvision Smart Classroom Behavior Management System on May 22, 2018
Hikvision's rapidly growing offering of analytics, which we most recently examined with Hikvision's ethnic minority analytics, is now going into...

The world's leading video surveillance information source, IPVM provides the best reporting, testing and training for 10,000+ members globally. Dedicated to independent and objective information, we uniquely refuse any and all advertisements, sponsorship and consulting from manufacturers.

About | FAQ | Contact