Keeping your children safe is one of your ultimate goals in life. It sure is for me. But at the end of a long day, you want to put them to bed and sit down with a nice cold one. If you have an infant, there’s a good chance you also have a baby monitor. Hearing those little movements, those tiny coughs and gurgles let you know the small one is secure.
In the old days, your baby monitor was audio-only, using a radio frequency for its connection. But modern baby monitors are online, networked, available through your smartphone, with videos and other “features.” Is there any need for a network-enabled baby monitor, or is it more of a threat than you realize?
The Modern Baby Monitor
Sound was the only thing an old baby monitor gave anxious parents. Keeping the monitor close to baby’s crib would provide just enough feedback to calm those fears. But baby monitors are evolving along with the rest of the technological world. A cursory glance at “the best baby monitors of 2018” tells me that the majority of monitors now have:
- Integrated video, some with night vision
- Smartphone apps and “ecosystems”
- Wi-Fi connections
- Motion sensors
- Two-way audio
Others come with cloud storage (why?!), built-in lullabies, temperature monitoring, and more. But you catch my drift: a modern baby monitor is more akin to a small media center with respect to the radio-audio versions of yesteryear.
And that is where the problem arises. Because we connect our baby monitors to the internet and because they are essentially tiny computers, they are susceptible to many of the same issues.
3 Examples of Baby Monitor Vulnerabilities
In the past three years, dating back to 2015, numerous baby monitor products were flagged as vulnerable. Here are three prime vulnerable baby monitor examples.
1. Mi-Cam Spying
The Chinese-manufactured Mi-Cam device has approximately 50,000 users. But in February 2018, Austrian security company, SEC Consult, found a series of vulnerabilities in the devices.
One attacker gained access via a proxy server that simply bypassed the camera’s password. Another vulnerability allowed them to act as a man-in-the-middle, intercepting live video streams between the device and the manufacturer’s cloud server.
Also, the research team tore the device apart to extract the firmware. They found “very weak four-digit default credentials,” according to their research blog.
2. FTC Names Several Insecure Baby Monitors
Back in 2016, the New York Department of Consumer Affairs received multiple reports of baby monitors as hacking targets. The monitors were being used to scream at, menacingly laugh at, or play intimidating and scary noises to infants.
The FTC built on the New York DCAs investigation, looking at five different baby monitors. It found that only one monitor required a secure password, while two had no encryption at all. Three allowed repeated password guesses after an incorrect entry, making them susceptible to a brute force attack.
The FTC findings weren’t a one-off. Security firm Rapid 7 found similar vulnerabilities after testing nine Wi-Fi capable baby monitors. Their research found that “Every camera had one hidden account that a consumer can’t change because it’s hard-coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”
3. Russian Site Streaming Thousands of Webcams
While this isn’t specifically baby monitors, a fair few where accessible via a Russian website acting as a portal for vulnerable internet connected webcams.
At its peak, some 73,000 webcam streams were available to Insecam’s users. The site pulls webcam IP addresses from Internet of Things device search engine Shodan, making the streams available to anyone.
Understandably, the site attracted some concern. The site owner added filtering to make sure that “none of the cameras on Insecam invade anybody’s private life.” Furthermore, the site now removes “any private or unethical camera” after an email complaint.
Why Are Baby Monitors Vulnerable?
Modern Wi-Fi enabled baby monitors are vulnerable for the same reasons everything else is: poor security. Particularly so, considering the chasm of vulnerability that is the Internet of Things (IoT). There is a good reason that security experts are incredibly wary of IoT devices. A great many have no security customization options.
That means you have no direct control over the passwords that secure your devices. In turn, this means the baby monitor’s security is dependent on your internet connection security. As evidenced by the Insecam site, there are tens of thousands of cameras and baby monitors lacking even the most basic password protection, let alone encryption and other security features.
Another issue with default device security is the availability of lists containing thousands of pre-installed passwords. It only takes a moment to cross-check a device’s default settings.
Researchers at Ben Gurion University, Negev, Israel found that not only do devices force you to use default settings but that those settings are sometimes uniform across multiple devices. Given the propensity of manufacturers to use appalling four-digit PINs such as 0000 or 1234, this isn’t entirely surprising.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” said Dr. Yossi Oren, senior lecturer in Ben Gurion’s Implementation Security and Side-Channel Attacks Lab. “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
Dr. Oren also added that “it only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand.”
How to Know If a Baby Monitor Is Secure
There are a few things you can do to find a genuinely secure baby monitor:
- The first is to give your home network security a once over. Does your router still have the default password setting? Did you change your Wi-Fi password to something good, strong, and memorable? Are there any unknown devices on your network?
- The second is to complete your due diligence while shopping around for a baby monitor. Make sure you can change the device password. Complete a Google search for your respective baby monitors with “security” or “vulnerability” in the search term. If the monitor appears in news articles concerning leaks, breaches, hacks and so on, don’t buy it.
- The third is to consider if you really need a baby monitor that connects to the internet, has cloud storage, or sends you push notifications if your baby doesn’t move for a period (yes, they exist, for some reason).
These three points are all vital to securing your baby monitor. But of all of them, the first is most important. If you cannot change the password on your baby monitor, you’ll never win. And that extends to all IoT devices.
If you cannot access the security settings, you are not in control of your security—and that alone is a slippery slope.
Image Credit: tiagoz/Depositphotos