Message boards on Reddit and 4chan were ablaze last January over a freshly exposed vulnerability in certain models of Trendnet home security cameras. This flaw, when manipulated correctly, allowed users to surreptitiously gain access to thousands of at-home IP camera feeds, providing a veritable online playground for peeping toms. In response, Trendnet issued a firmware update that purported to eliminate the threat, though nearly one year later, it's apparent that many owners never took action.
Earlier this month, Network World reported that many Trendcam users were still exposing their live feeds to the public, through a Google Maps-powered web app. The site requires no password or additional software, and provides not only real-time streams, but the precise location of every camera, as well. Clicking on a given pin opens a live stream from that particular camera, allowing visitors to spy on sleeping babies, empty living rooms, office interiors, and dimly lit parking lots.
Spending just a few minutes on the site can evoke an unsettling mix of fascination, guilt, and dread. The moving images that were once isolated and divorced from context are now fixed within a geographic space, imbuing them with an extra layer of reality — and, perhaps most important, lending a new sense of scale to Trendnet's security hole.
The identity of the site's creator remains unclear, though it appears to have been launched as part of a broader awareness campaign, and is likely associated with the @TRENDnetExposed Twitter account. Prominently displayed across the top of the interface is a download link for Trendnet's firmware update, alongside a Pastebin document full of links to exposed streams. The @TRENDnetExposed account has also been publishing these links, branding each post with a #TrendNetExposed hashtag.
"Obviously, it is an ongoing project."
Thus far, there's no clear explanation for the persistence of this vulnerability. Trendnet, for its part, says it has notified all owners of affected cameras, though Network World speculates that some users may have never registered their devices to begin with, which would therefore make it difficult to identify them. The manufacturer also ceased shipments of all affected models last year, and pulled any remaining cameras from store shelves.
In a statement provided to Network World, Trendnet IT Director Brian Chu said the company is doing its best to raise awareness of the issue, though he stopped short of offering an explanation for its resilience. "Trendnet is doing everything it can to notify all Trendnet IP camera users to update the critical security firmware on affected cameras," Chu said. "Obviously, it is an ongoing project."
Update: It appears that the map has since been disabled. Visitors to the cams.hhba.info site will now see a popup box that says, "Google has disabled use of the Maps API for this application," followed by a referral to Google's Terms of Service.