06.18.07
Buyer Beware! (”Returner” also Beware)
An interesting link came across one of the mailing lists I'm on earlier tonight. It seems that a man in Nova Scotia inadvertently became a peeping tom. You might ask how you inadvertently do this... well follow these simple steps.
- Purchase a WiFi-enabled security camera, that emails pictures every time motion is detected.
- Set it up at home, configuring your email address as the address that it uses.
- Decide the camera isn't for you, repackage it and return it to the store.
- Wait for another person to purchase the camera.
That's it... The article mentions that Staples warns stores to ensure that the device is fully erased before reselling it, however in this case the store owner insists that it is the original purchasers responsibility to ensure that data is wiped from the device. It raises an interesting question, however I don't think that you could, in any way, find the original purchaser responsible. I would highly suggest that they wipe the data (unless they want their email address available to someone else), but I don't think they could be forced to... Take a scenario where an elderly couple buys the camera and their grandchild deploys it for them... The grandchild goes home, the couple finds they don't like the camera, so they unplug it and box it up to return it... It may never cross their mind to reset the configuration... That should be the first step taken in the store.
Either way, let this serve as a lesson for anyone who has purchased an "Open Box" special and just plugged it in... Someone, somewhere may be watching you.
LonerVamp said,
June 18, 2007 at 9:42 am
Wow, that’s pretty crazy! And interesting to think about when I buy stuff. Thankfully I tend to play with configurations and updates anyway, so I would see that kind of stuff…
Randy Abrams said,
June 23, 2007 at 3:39 pm
This is going to become more and more of an issue. The retailer was about as clueless as they come. The pictures being sent to Gass were not really Gass’s problem, they were the problem of the next buyer. If you recall a while back, Walmart sold a Zune chock-full-porn. The Zune ended up in the hands of a 12 year old child. The store neglected to restore the product to new condition. http://www.zuneboards.com/content/view/26/2/. If the “actors” in content didn’t want their pics out there then they should have deleted them, but that the next buyer received this content is the store’s responsibility.
Randy Abrams
ThreatBlog » Blog Archive » Open-Item Attack Gadgets! said,
June 23, 2007 at 5:10 pm
[...] In reading Tyler Reguly’s blog over at computerdefense.org, I came across an interesting story. Tyler’s post is at http://www.computerdefense.org/?p=332. The story is a man purchased a wireless security camera and configured it to send the pictures it took to his email address. He decided that he didn’t like the camera and returned it to Staples for a refund. A family in Nova Scotia purchased the “open-item” camera, installed it, and started sending pictures to the previous owner. The Staples store neglected to reset the camera before reselling it. You can read the story at http://tinyurl.com/yskdz2. A retailer, presumably a Staples employee, disregarded Staples instructions to reset devices and blamed the previous owner, despite Staples claims that they instruct stores to reset the devices. [...]
Kane’s Computing World » Beware Open-Item Tech Specials! said,
June 25, 2007 at 7:48 pm
[...] In reading Tyler Reguly’s blog over at computerdefense.org, I came across an interesting story. Tyler’s post is at http://www.computerdefense.org/?p=332. The story is a man purchased a wireless security camera and configured it to send the pictures it took to his email address. He decided that he didn’t like the camera and returned it to Staples for a refund. A family in Nova Scotia purchased the “open-item” camera, installed it, and started sending pictures to the previous owner. The Staples store neglected to reset the camera before reselling it. You can read the story at http://tinyurl.com/yskdz2. A retailer, presumably a Staples employee, disregarded Staples instructions to reset devices and blamed the previous owner, despite Staples claims that they instruct stores to reset the devices. [...]