The vulnerability was discovered by a blogger who uses the name “someLuser” and who posted details of the flaw in January, describing how he was able to find vulnerable cameras online by using the Shodan search engine, which allows users to find internet-connected devices using simple search terms.
Although users can set up the cameras with a password, the videostream from even a password-protected camera is available to anyone who knows the camera’s net address, which consists of an IP address, and a sequence of 15 digits that are the same for every computer. In this manner, the blogger says he was able to identify 350 vulnerable Trendnet cameras.
“There does not appear to be a way to disable access to the video stream, I can’t really believe this is something that is intended by the manufacturer. Lets see who is out there :),” he wrote in his post.
Within days of his revelation, readers had found more than 600 cameras through their web addresses, which included cameras inside businesses and children’s bedrooms. As more cameras were exposed, some readers posted screenshots from the cameras as well as Google Maps purporting to identify the exact location of the cameras.
U.S.-based Trendnet has acknowledged the flaw and told the BBC the vulnerability was introduced with code added to the product in 2010. The company, which first learned of the problem on Jan. 12, is in the process of updating firmware to correct the problem in 26 vulnerable models of its product.
“We anticipate to have all of the revised firmware available this week. We are scrambling to discover how the code was introduced and at this point it seems like a coding oversight,” Zak Wood, Trendnet’s director of global marketing, told the BBC.