Baby monitors which shipped with security flaws that allowed hackers to watch and listen to babies from remote locations have led to an FTC complaint against the company responsible, Trendnet.
Trendnet has agreed to a settlement including a regular third-party security audit for the next 20 years.
The FTC says that the complaint marks its first action against a “connected” product in this category. “ This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices – commonly referred to as the“Internet of Things”.
The FTC alleged that the cameras had faulty software which left them open to being viewed remotely – all attackers needed was the camera’s internet address.
In a case earlier this year, a hacker spied on and insulted a toddler in her bed via a web-connected baby monitor. Marc Gilbert, of San Antonio, said that he saw the baby monitor move and heard a voice say, “Wake up, you little [expletive]”
“The Internet of Things holds great promise for innovative consumer products and services. But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet,” said FTC Chairwoman Edith Ramirez.
ESET researcher Stephen Cobb says, ““I think the FTC deserves considerable kudos for taking action in the emerging sphere of digital activity often referred to as the “Internet of Things.” As we see more and more digitally-enabled products in our daily lives, connecting to and controlled over the Internet, it is important that the public knows there is an agency charged with policing the veracity of marketing claims about the security of such devices and services.”
Cobb said, “This settlement reminds us that the FTC was quick to police email privacy back in 2001 with the Eli Lily case and, soon after, online authentication and payment services with the Microsoft Passport case.”
Under the terms of the agreement, Trendnet is required to notify consumers of the faults with its camera monitoring system, and to direct them towards a patch which fixes the problem.
Earlier this year, researcher Nitesh Dhanjani demonstrated an attack on a popular “connected” lighting system sold in Apple Store, the Philips Hue, which could be hacked to cause a “perpetual blackout” in the homes of users. Several other researchers demonstrated hacks against “connected” appliances at this year’s Black Hat conference in Las Vegas.
“By 2022, the average household with two teenage children will own roughly 50 such Internet connected devices, according to estimates by the Organization for Economic Co-Operation and Development,” Dhanjani said “Our society is starting to increasingly depend upon IoT devices to promote automation and increase our well being. As such, it is important that we begin a dialogue on how we can securely enable the upcoming technology.”
Author Rob Waugh, We Live Security