Researcher gives baby monitors an 'F' in cybersecurity

A new report by a Rapid7 security consultant claims a slew of baby monitors can be hacked – which could offer potential attackers a way to snoop on people’s homes.

A new report claims a wide array of Internet-connected baby monitors do not have basic cybersecurity protections that would prevent outside hackers from accessing video feeds into unsuspecting people’s homes.

The report released Wednesday by Mark Stanislav, a senior security consultant at the information security firm Rapid7 tested baby cameras from eight different manufacturers and gives all but one failing grades. The other monitor’s letter grade wasn’t much better – a “D.”

“Many of the mistakes I found were design decisions, not bugs. They were choices, not mistakes,” Mr. Stanislav told Passcode.

A major problem Stanislav says he found in most devices he tested was that they do not encrypt video feeds. Encryption is a security measure that would prevent hackers eavesdropping on Internet or WiFi connections from being able to view the data sent from monitors to the app or computer program the parent would use to watch the video, or to the cloud-based video archives. Stanislav also noted that several baby monitors had hidden accounts and passwords hard coded into the devices – a user could not make changes or delete them. So, if an attacker compromised those accounts, they could have a secret access point to take control of the camera.

Stanislav investigated nine Internet-connected cameras specifically advertised for watching babies, including specific models by manufacturers Gyonii, Lens Peek-a-view, Philips, Summer Baby Zoom, TRENDnet, WiFiBaby and Withing, and two models from iBaby.

Three of the cameras, he says, had particularly glaring security holes. The Philips In.Sight model, he said, simply places a live stream of video onto the Internet without even requiring an account or password to protect it. And the iBaby M6, for instance, uses a web service that aggregates clips of the baby. While that one requires a password, Stanislav says anyone logged in can see any other user’s video by using an easy trick: Simply typing in an easily-guessable user ID into the web address  And with the Summer Baby Zoom, the report found no authentication was required to authorize new users to view camera feeds. Attackers can simply add themselves.

Though Stanislav tested models with prices ranging from $55 to $260, to his surprise, he said, the price of the monitor made no difference in the cybersecurity protection it offered – the cheaper of the two iBaby monitors he awarded was the only monitor to earn a less-than-failing grade of “D.”

The idea of an attacker gaining access to baby cameras is obviously concerning – parents very likely do not want strangers watching their kids. But poor cybersecurity in baby cameras have also been known to cause a larger violation of privacy by offering hackers a very personal video and audio feed into the goings-on within people's homes.

A widely publicized vulnerability in TRENDnet cameras in 2012 – including in their baby cameras – led voyeurs to create of websites full of live feeds of unsuspecting houses and businesses. And earlier this year, a vulnerability acknowledged by Foscam in its baby monitors allowed attackers to use the baby monitor’s speakers, letting them talk to children, and, reportedly at least one terrified babysitter.

The root of the problems with many of the past hacks were passwords that hackers could easily crack. But the problems with the devices Stanislav tested ran deeper. While some of the flaws Stanislav says he found in the smart cameras were actually the fault of an out-of-date, third-party operating system or other device, he says all the devices save for the WiFiBaby and Withing models also contained previously unreported vulnerabilities.

Rapid7 shared these vulnerabilities with the manufacturers in July. Yet, of the companies he contacted, Stanislav said the only vendor that was responsive was Philips – a large company already accustomed to working with security researchers.

 

Some companies told Passcode they are aware of the Rapid7 report, and said they are either investigating the issues Stanislav raised, or do not agree with his security grades.  

In a statement, TRENDnet said that it was still verifying Stanislav’s findings and would “take an appropriate course of action once we have all available information.”

And Devin Fox, daily operations manager at WiFiBaby, said the descriptions of the security threats caused by unencrypted video streams are overblown, since a potential attacker would need a fair amount of technical expertise to take advantage of it – and even then, the hacker could only eavesdrop when camera was on, and already streaming video.

WiFiBaby, said Mr. Fox, takes security “very seriously” and deploys several layers of protection that which didn’t factor into Stanislav’s grading.

For instance, users can set their WiFiBaby monitors so they can only be accessed by devices on the same home network – a feature that, if activated, would likely sidestep any threat from the outside. He also said its users are forced to change the default password – which often isn’t the case with baby monitors or, for that matter, routers and other home devices.

This is significant because, as Fox noted, many camera hacks in recent years were carried out after the owners failed to change the default password. Since the default password is typically the same across all devices of the same model, leaving the default password could be tantamount to giving a password to everyone willing to do minimal research.

What’s more, Fox adds, “there have been no security problems with our device – we’ve never had a single call.”

While Stanislav believes a number of the devices he researched are technically incapable of being repaired,  he does believe there are some common security practices users could adopt to help prevent eavesdroppers from listening in.  For example, monitors with unencrypted video are at their most hackable when users watch video from public WiFi networks. He recommends using a cell phone Internet connection instead.

And, he said, always turn off the cameras when they are not in use.