F.T.C. Says Webcam’s Flaw Put Users’ Lives on Display

By EDWARD WYATT - September 4, 2013 - The New York Times

WASHINGTON — The so-called Internet of Things — digitally connected devices like appliances, cars and medical equipment — promises to make life easier for consumers. But regulators are worried that some products may be magnets for hackers.

On Wednesday, the Federal Trade Commission took its first action to protect consumers from reckless invasions of privacy, penalizing a company that sells Web-enabled video cameras for lax security practices.

According to the F.T.C., the company, TRENDnet, told customers that its products were “secure,” marketing its cameras for home security and baby monitoring. In fact, the devices were compromised. The commission said a hacker in January 2012 exploited a security flaw and posted links to the live feeds, which “displayed babies asleep in their cribs, young children playing and adults going about their daily lives.”

“The Internet of Things holds great promise for innovative consumer products and services,” Edith Ramirez, the commission’s chairwoman, said in a statement. “But consumer privacy and security must remain a priority as companies develop more devices that connect to the Internet.”

TRENDnet officials did not respond to a request for comment.

While the Internet of Things is still evolving, the concept currently embraces both industrial and consumer products. In a factory, sensors can be used to monitor manufacturing processes, warning that a machine needs maintenance and potentially avoiding a breakdown. At home, so-called smart appliances like refrigerators or thermostats can feed information via the Internet to manufacturers and service providers to keep the products humming.

In a speech last month, Ms. Ramirez noted that such developments required more diligence by consumers and regulators. While many individuals consent to data collection, consumers rarely are consulted about where their personal information goes afterward. The F.T.C. plans to conduct a workshop in November to discuss the issue, with an eye toward drawing up rules that allow for both innovation and the protection of consumers.

Robert R. Belair, who formerly served in the commission’s division of consumer protection and who is now the managing partner of the Washington office of Arnall Golden Gregory, said it was not yet clear whether the Internet of Things “changes the nature of the privacy threat, or just exacerbates the threat in certain ways that require a little more vigilance.”

In detailing the security lapses, the commission said the company transmitted customers’ login information over the Internet in clear, readable text rather than encrypting the data. It also said TRENDnet’s mobile application, which allows customers to control the home camera from a smartphone, did not properly protect users’ credentials. When the company became aware of the flaws, it uploaded a software patch to its Web site and tried to alert customers.

As part of the case, TRENDnet agreed to sanctions that include a 20-year security-compliance auditing program. The company also promised not to misrepresent the security of its cameras, the confidentiality of the activity that its devices transmit, or consumers’ ability to control the security of the cameras or their recordings. The agency’s four current commissioners voted unanimously for the sanctions.

The F.T.C. does not have the legal authority to impose fines in such cases. But TRENDnet agreed to a consent order prohibiting similar practices, so the commission has the ability to seek penalties in the future.

Despite its recent action, the F.T.C.’s authority in this area has been called into question. The Wyndham Hotel Group is challenging the commission’s ability to penalize companies that do not do enough to protect consumer information, like credit card numbers. Wyndham has argued that the agency has not published any formal rules on data security. The case is pending in Federal District Court in New Jersey.

The case against TRENDnet highlights the potential vulnerabilities that consumers face when they connect everyday, in-home products to the Internet. As with e-mail accounts, online banking and shopping Web sites, enterprising hackers can get around security systems when vendors are sloppy.

In 2010, TRENDnet began selling its digitally connected cameras under the product name SecurView. With the device, individuals and businesses could, via an individual Web site, monitor family members, customers or security concerns. In three years, its camera business produced nearly $19 million in revenue, accounting for 10 percent of the company’s total revenue in that period.

According to the F.T.C., a hacker in 2012 identified a security flaw and circulated the information publicly. Though the company was notified of the breach within three days, others saw the message and quickly posted links to live video feeds of about 700 cameras.

The commission said that the hacker was able “to identify a Web address that appeared to support the public sharing of users’ live feeds.” While only some customers opted to share their feeds publicly, the hacker found that all of the feeds could be viewed and shared, the commission said. After the episode, news accounts sometimes included photos taken from the feeds.

Consumers “had little, if any, reason to know that their information was at risk,” the commission said.

That kind of exposure “increases the likelihood that consumers or their property will be targeted for theft or other criminal activity,” the F.T.C. said, and “increases the likelihood that consumers’ personal activities and conversations or those of their family members, including young children, will be observed and recorded by strangers over the Internet.”