Advisory: Backdoor in TRENDnet IP cameras
**Trendnet Responds: Comment left below from Trendnet in response to the most recent vulnerability.
TRENDnet has posted the resolution to the security breach on their IP cameras: You can check information on affected TRENDnet IP cameras at:http://www.trendnet.com/products/features.asp?featureid=52. You can download critical firmware along with detailed update instructions for the affected TRENDnet IP cameras athttp://www.trendnet.com/downloads/.
Consolecowboys.org blogger “someLuser” (yes that is his tag)has identified a security vulnerability in some TRENDnetIP cameras which permits inquisitive web users to access them without authentication. He discovered the vulnerability whilst exploring the firmware on his TV-IP110w camera using a tool called binwalk.
Lengthy lists of freely accessible video streams are already circulating on the web. Random sampling by most testers found that most of the cameras were indeed freely accessible, providing views of offices, living rooms and children’s bedrooms. For demonstration purposes, someLuser has put together a Python script which uses server search engine Shodan to find cameras. Navigating to a camera web server URL displays the video stream recorded by the camera – this occurs whether or not a password has been set.
TRENDnet has already responded by providing a firmware update promising “improved security”, which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected – according to someLuser, the firmware for the company’s TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN and TV-IP110WN models has been updated. Anyone using one of these cameras should update the firmware without delay.
You can find the firmware for your device here: http://www.trendnet.com/langge/downloads/category.asp?iType=32
- Trendnet Home Security Breach Raises Concern (ibtimes.com)
- Trendnet home security cam flaw exposes video feeds on net (gansec.com)