A few weeks ago, a blog called Console Cowboys exposed a security vulnerability in some models of Trendnet home security cameras. Following the instructions on the site, thousands of streaming personal IP cameras can be accessed. Links to the compromised feeds spread quickly on message boards like Reddit and 4chan, where the adolescent quest for the surreptitiously-viewed nipple kicked into high gear.
Of course, nudity was found: a woman taking off her pajamas in her bedroom, a young mother standing next to a baby crib at night. Screenshots were made and posted to 4chan for teenage boys to ogle. These cameras were purchased by people who believed they would be making their home or workplace more secure. Instead, they became victims of an intimate and personal invasion of privacy. The security breach isn't leaking customer data like credit card numbers, or even sensitive corporate secrets as described in a recent New York Times article about security flaws in videoconferencing systems.
It’s worse. It’s strangers watching you undress in your own home.
Top image credit: Gl0we (Reddit)
While many IP cameras have open feeds that are semi-public and don’t require passwords, a close look at the Trendnet firmware revealed code that can be appended to the IP address of the camera, creating a URL of the camera’s feed that bypasses password authentication. The author of the Console Cowboys post, Someluser, was surprised it even worked:
I can't really believe this is something that is intended by the manufacturer. Lets see who is out there :)
Other available cameras were found by searching shodanhq.com, a semi-shady site that catalogs open devices. Some of the more interesting camera feeds included a laundromat in Los Angeles, a bar and grill in Virginia, living rooms in Korea and Hong Kong, offices in Moscow, a Newark man watching the football game in a Giants jersey, and the inside of a turtle cage.
Console Cowboys posted its instructions on accessing the cameras on January 10, and over the next two days a list of links to over 1,000 camera feeds appeared on Pastebin, a free text storage site popular among programmers and 4channers for storing and sharing snippets of code, Occupy movement screeds, the anti-Scientology manifestos of Anonymous, and the assorted Dane Cook joke. In an email, Someluser said that he was not responsible for creating the long list of links or posting them to other sites. "I would imagine these lists were created by readers and other individuals who have since created script enhancements on the original findings and code....It is hard to say how it ended up on 4chan, it is not a site I frequent."
The Pastebin link list appeared on Reddit’s security forum within a day, and on 4chan’s /b/ board sometime that week. Currently, the list has had over 87,000 hits. Each camera feed may have been viewed by hundreds or thousands of people.
On Reddit, the comments express concern over the unethical nature of this type of voyeurism: "this is no different than posting private information about individuals. Should be removed." On another message board, a user wrote, "the first one I tried showed a child's playpen, lake [sic] a nanny cam or something. I immediately shut the window and regret ****ing with this, I thought it would be parking lots and skyscrapers and ****, not residential cameras."
I first discovered the leaked camera feeds on 4chan on January 21, but it was clear that users had already known about them for some time. The thread had started out as a troll — someone posted a screenshot of his browser displaying one of the cameras, with his other browser tabs conspicuously open to sites 4channers would find distasteful (Reddit, a My Little Pony fan blog, icanhazcheeseburger). The post was meant to goad people into insulting him for his poor taste, but the thread quickly changed as commenters remembered how fun it was to watch those feeds that they had discovered the week before. Apart from the nudity, the camera that garnered the most 4chan rage showed an empty living room that featured a large Christmas tree: users decried how lazy this family must be to still have the tree up a month after the holiday.
The compromised cameras may be up to five years old, and rarely have firmware updates; it’s likely many customers will never bother updating
Since the link for each feed is the IP address of the camera appended with the code that allows you to access the stream, it’s not too hard to track down exactly who you’re looking at. One feed showed an older man sitting at his computer at home; 4chan suspected he was masturbating and quickly tracked down his home address. The lack of a phone number thwarted their plans to call him up and watch as he answered.
The particular camera that the security bug was discovered in is a discontinued model that sells for around $70, though Someluser says the bug existed in additional models, meaning a wider range of camera owners are vulnerable (including, but perhaps not limited to, models TV-IP110W, TV-IP110WN, TV-IP121WN, and TV-IP410). The leaked feeds were a mix of small businesses — a store entrance or a stack of servers — and private homes. Several of these residential use cameras were aimed at a crib, suggesting that these were being used as baby monitors or even "nanny cams" to monitor childcare workers. None of the homes with cameras appeared to be particularly lavish, which suggests the cameras were not as much for protecting valuable property as they were to monitor residents or employees.
On January 30th, Trendnet issued a critical update that addresses the security flaw for that camera. Zak Wood, the Director of Global Marketing for the company sent me an email that read, in part: "We became aware of it when it was reported on a public forum (very recently). This is a major concern and we dedicated significant resources to fix this issue immediately." As of this writing, most of the feeds are still active, meaning the customers have not yet updated their firmware, which Trendnet recommends doing over a secure (wired) internet connection. The compromised cameras may be up to five years old, and rarely have firmware updates; it’s likely many customers will never bother updating. "We emailed all customers who registered their product with Trendnet informing them of the recommendation to download new firmware and we have posted a high priority note in the downloads area," he continued. "This information will also be in our monthly newsletter this month which has extensive reach."
These days, online privacy concerns revolve mostly around your choice in how companies use your data. Those stakes may be high for companies like Facebook or Google that want to profit from your data, but relatively low for the average user. This is a completely different situation, where a mistake made by the company left its customers in the horrible position of being spied on by possibly thousands of strangers for twenty days before issuing a fix, and likely leaving the large percentage of customers that didn’t register their devices exposed indefinitely.
Apart from the initial 4chan rush, the list of camera feeds spread among the typical internet hangouts of the young and restlessly nerdy. Ironically, it’s the web 1.0 venues of message boards and IRC chats that are home to some of the most technically savvy internet users, and the sophisticated links to the camera feeds started appearing in sports message boards and hip hop forums. One Minecraft enthusiast distilled the general reaction of the young men who were combing through the video feeds into three words: "must find boobys."
Katie Notopoulos is the author of blogs Sorry I Missed Your Party, Dumb Tweets @ Brands, and Marina Abramović Made Me Cry. She lives in New York City and works in e-commerce. She can be found on Twitter right here.