Backdoor in TRENDnet IP cameras
Consolecowboys blogger someLuser has identified a security vulnerability in some TRENDnet IP cameras which permits inquisitive web users to access them without authentication. He discovered the vulnerability whilst exploring the firmware on his TV-IP110w camera using a tool called binwalk.
Lengthy lists of freely accessible video streams are already circulating on the web. Random sampling by The H's associates at heise Security found that most of the cameras were indeed freely accessible, providing views of offices, living rooms and children's bedrooms. For demonstration purposes, someLuser has put together a Python script which uses server search engine Shodan to find cameras. Navigating to a camera web server URL displays the video stream recorded by the camera – this occurs whether or not a password has been set.
TRENDnet has already responded by providing a firmware update promising "improved security", which can be downloaded from its support page. Many other TRENDnet cameras also appear to be affected – according to someLuser, the firmware for the company's TV-IP121W, TV-IP252P, TV-IP410WN, TV-IP410, TV-IP121WN and TV-IP110WN models has been updated. Anyone using one of these cameras should update the firmware without delay.