[Vision2020] F.T.C. Says Webcam’s Flaw Put Users’ Lives on Display

Thu Sep 5 06:42:43 PDT 2013

  [image: The New York Times] <http://www.nytimes.com/>

------------------------------
September 4, 2013
F.T.C. Says Webcam’s Flaw Put Users’ Lives on Display By EDWARD
WYATT<http://topics.nytimes.com/top/reference/timestopics/people/w/edward_wyatt/index.html>

WASHINGTON — The so-called Internet of Things — digitally connected devices
like appliances, cars and medical equipment — promises to make life easier
for consumers. But regulators are worried that some products may be magnets
for hackers.

On Wednesday, the Federal Trade Commission took its first action to protect
consumers from reckless invasions of privacy, penalizing a company that
sells Web-enabled video cameras for lax security practices.

According to the F.T.C., the company, TRENDnet, told customers that its
products were “secure,” marketing its cameras for home security and baby
monitoring. In fact, the devices were compromised. The commission said a
hacker in January 2012 exploited a security flaw and posted links to the
live feeds, which “displayed babies asleep in their cribs, young children
playing and adults going about their daily lives.”

“The Internet of Things holds great promise for innovative consumer
products and services,” Edith Ramirez, the commission’s chairwoman, said in
a statement. “But consumer privacy and security must remain a priority as
companies develop more devices that connect to the Internet.”

TRENDnet officials did not respond to a request for comment.

While the Internet of Things is still evolving, the concept currently
embraces both industrial and consumer products. In a factory, sensors can
be used to monitor manufacturing processes, warning that a machine needs
maintenance and potentially avoiding a breakdown. At home, so-called smart
appliances like refrigerators or thermostats can feed information via the
Internet to manufacturers and service providers to keep the products
humming.

In a speech last month, Ms. Ramirez noted that such developments required
more diligence by consumers and regulators. While many individuals consent
to data collection, consumers rarely are consulted about where their
personal information goes afterward. The F.T.C. plans to conduct a workshop
in November to discuss the issue, with an eye toward drawing up rules that
allow for both innovation and the protection of consumers.

Robert R. Belair, who formerly served in the commission’s division of
consumer protection and who is now the managing partner of the Washington
office of Arnall Golden Gregory, said it was not yet clear whether the
Internet of Things “changes the nature of the privacy threat, or just
exacerbates the threat in certain ways that require a little more
vigilance.”

In detailing the security lapses, the commission said the company
transmitted customers’ login information over the Internet in clear,
readable text rather than encrypting the data. It also said TRENDnet’s
mobile application, which allows customers to control the home camera from
a smartphone, did not properly protect users’ credentials. When the company
became aware of the flaws, it uploaded a software patch to its Web site and
tried to alert customers.

As part of the case, TRENDnet agreed to sanctions that include a 20-year
security-compliance auditing program. The company also promised not to
misrepresent the security of its cameras, the confidentiality of the
activity that its devices transmit, or consumers’ ability to control the
security of the cameras or their recordings. The agency’s four current
commissioners voted unanimously for the sanctions.

The F.T.C. does not have the legal authority to impose fines in such cases.
But TRENDnet agreed to a consent order prohibiting similar practices, so
the commission has the ability to seek penalties in the future.

Despite its recent action, the F.T.C.’s authority in this area has been
called into question. The Wyndham Hotel Group is challenging the
commission’s ability to penalize companies that do not do enough to protect
consumer information, like credit card numbers. Wyndham has argued that the
agency has not published any formal rules on data security. The case is
pending in Federal District Court in New Jersey.

The case against TRENDnet highlights the potential vulnerabilities that
consumers face when they connect everyday, in-home products to the
Internet. As with e-mail accounts, online banking and shopping Web sites,
enterprising hackers can get around security systems when vendors are
sloppy.

In 2010, TRENDnet began selling its digitally connected cameras under the
product name SecurView. With the device, individuals and businesses could,
via an individual Web site, monitor family members, customers or security
concerns. In three years, its camera business produced nearly $19 million
in revenue, accounting for 10 percent of the company’s total revenue in
that period.

According to the F.T.C., a hacker in 2012 identified a security flaw and
circulated the information publicly. Though the company was notified of the
breach within three days, others saw the message and quickly posted links
to live video feeds of about 700 cameras.

The commission said that the hacker was able “to identify a Web address
that appeared to support the public sharing of users’ live feeds.” While
only some customers opted to share their feeds publicly, the hacker found
that all of the feeds could be viewed and shared, the commission said.
After the episode, news accounts sometimes included photos taken from the
feeds.

Consumers “had little, if any, reason to know that their information was at
risk,” the commission said.

That kind of exposure “increases the likelihood that consumers or their
property will be targeted for theft or other criminal activity,” the F.T.C.
said, and “increases the likelihood that consumers’ personal activities and
conversations or those of their family members, including young children,
will be observed and recorded by strangers over the Internet.”

-- 
Art Deco (Wayne A. Fox)
art.deco.studios at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.fsr.com/pipermail/vision2020/attachments/20130905/cbf9f247/attachment.html>