Internet of Things fails again
If it’s not one thing, it’s another with the security fiasco known as Internet of Things. As InfoSecurity Magazine reports:
Parents rely on baby monitors to help them keep their kids safe—but it turns out that these staples of the young-family household have serious cybersecurity flaws—including those that allow hackers to spy on the household.
Rapid7 researchers uncovered critical vulnerabilities in three popular baby monitors, and a slew of other problems in others. In one, an attacker could locate an exposed camera and watch the live stream, enable remote access (e.g. Telnet) or change the camera settings. In another, an attacker could potentially gain access to every recorded clip for every registered camera across the entire service. And in the third, an attacker could add an e-mail address of their choice to every single camera, and login at will to view the stream of any camera of their choosing.
Further, in evaluating nine different devices from eight different vendors, Rapid7 found numerous security weaknesses and design flaws, like hardcoded credentials, unencrypted video streaming, and unencrypted web and mobile app functions.
Unfortunately, most of these vulnerabilities and exposures are “trivial” to exploit by a reasonably competent attacker, the researchers said in an analysis.
Affected Baby Monitors
|iBaby Labs, Inc||iBaby M6, iBaby M3S
|Philips Electronics||Philips In.Sight
|Summer Infant||Summer Baby Zoom
WiFi Monitor & Internet
|TRENDnet||TRENDnet WiFi Baby
If you own a baby monitor in this list, please check the report from Rapid7 to determine how vulnerable your particular monitor is and what you might be able to do about it yourself. In some cases an attacker will need to know something about the baby monitor before he gains access. This can be pretty difficult to do without physical access (how well do you know your babysitter?). In other cases, it will be trivial for a criminal to gain access no matter where the monitor is located in the world.
Alternatively, just because your baby monitor isn’t in this list doesn’t mean it’s not vulnerable. It probably is, it just wasn’t tested.
So what? Somebody else might be able to see my kid
Well, if it doesn’t creep you out that criminals may be watching your child sleeping, I don’t know what to say to you.
But let’s look at the technical aspect, too. If someone can take over the OS in a baby monitor, they will have access to your entire home network. Do you do anything important on your home network that you don’t want criminals to see? Do you think they’ll be able to get access to your computers or other security cameras? Do you think they’ll be able to install monitoring software to know when you are home and when a babysitter might be there instead. Or know when you’re breastfeeding. Or just figure out when nobody’s there so they can rob the joint in peace.
Let’s see what the baby monitor manufacturers do about it.
My guess is not much not any time soon. These IoT consumer companies don’t have security experts on their staffs. Most of them probably wouldn’t know how to fix these problems so that they are fixed for good. I guarantee, though, that whatever they fix won’t be the last thing – this was just a single study that uncovered the basic flaws. Wait until the next round.
What you can do
Unplug the baby monitors. You don’t need video on your kid in the crib. If you are really concerned about what’s going on in there 24/7, get a radio monitor and be satisfied with listening to your baby. Whatever peace-of-mind you think you are getting is vastly negated by what the criminals will be able to do.