A bird’s-eye view of a playground. The inside of a convenience store. The entrance to a home.
All of these scenes, recorded live by Internet-connected surveillance cameras, have been open to snooping by even the most novice hackers, say researchers at Refirm Labs, a new startup founded by ex-National Security Agency workers. Anyone could remotely view these and scores of other remote locales through a vulnerability affecting certain surveillance cameras manufactured by TRENDnet, a California-based gadget-maker, they said.
Refirm is set to disclose this and other critical vulnerabilities affecting other devices, such as TRENDnet and Belkin routers as well as Dahua security cameras, on Wednesday. The company previewed its findings with Fortune in the lead-up to their publication.
“I wouldn’t even call this a hack because it doesn’t take any sophistication,” said Terry Dunlap, cofounder and CEO of Refirm, about the vulnerability, which affects TRENDnet’s TV-IP344PI camera model. Tuning into these cameras’ video feeds requires neither authorization nor authentication, but merely the knowledge of a device’s IP address, an easily obtained bit of identifying information, Dunlap said.
The findings call into question whether Trendnet has been taking the security of its products seriously enough in the wake of a 2014 settlement with the Federal Trade Commission that found its security to be lax. Trendnet was forced to abide by tightened regulatory standards—bolstering its information security program and submitting to regular security audits—after a severe vulnerability allowed attackers to monitor and expose hundreds of video feeds from faulty cameras.
The latest version of the TRENDnet camera still has flaws that allow attackers to gain total control of a given camera, to use it to launch other attacks, to “brick” or destroy it, to meddle with its video outputs, or to install new programming instructions on it, the researchers said.
You can watch a demonstration of how hackers can take advantage of some of the bugs here.
TRENDnet was notified of the vulnerabilities this week, Dunlap said.
“We have just received this report, and TRENDnet is currently reviewing it to validate the authenticity of each claim,” said Emily Chae, a spokesperson for TRENDnet, in an email to Fortune on Tuesday. “All TRENDnet products are tested by an internal audit team, and TRENDnet cameras go under further testing by a leading 3rd party security group. We will release a patch soon for any confirmed vulnerabilities.”
Other findings by Refirm included security holes in Belkin routers (model F9K1124v1), TRENDnet routers (TEW-816DRM), and a Dahua security camera (IPC-HDW4300S). The bugs could allow hackers to hijack devices, to meddle with their inner workings, to siphon data from networks, or to burrow deeper inside of them, the researchers said.
Dunlap’s team notified Belkin about the vulnerabilities affecting its products in two reports released in June and Oct. by his previous company, Tactical Network Solutions. Belkin released patches soon after.
“All three vulnerabilities have been addressed and we recommend that Belkin customers update their routers to this latest firmware,” said Karen Sohl, a spokesperson for Belkin.
Like TRENDnet, Dahua is only just learning about the issues affecting their products. Refirm is urging people to avoid Dahua’s products entirely, since it says many of them include hardcoded credentials that allow anyone to tamper with a device’s firmware or install backdoors.
The Refirm team provocatively suggested that this may have been done intentionally.
“This vulnerability is not the result of an accidental logic error or poor programming practice, but rather an intentional backdoor placed into the product by the vendor,” the researchers wrote. “Given that many other Dahua products contain this exact same backdoor, we strongly recommend against connecting any Dahua products to critical or sensitive networks.”
Refirm didn’t explain why Dahua would want to such a thing, and Dahua did not immediately respond to Fortune’s request for comment.
In most cases, Dunlap says, “if developers implemented secure coding practices from the very start, a significant number of IoT [Internet of Things] attacks would not exist today.”
Get Data Sheet, Fortune’s technology newsletter
Where patches are not available, as is the case for TRENDnet and Dahua, Refirm advises people to sequester their cameras and routers away from internal networks, to limit their access to sensitive resources, or to remove them entirely until further notice.
