The security of Internet-connected baby monitors got a shake up earlier today after security researchers identified critical vulnerabilities within all nine of the baby monitors they reviewed.
Vulnerabilities identified in the set of devices made it possible for hackers anywhere in the world to perform any number of nefarious tasks. Of those include monitoring live video feeds, altering camera settings, downloading video clips stored online, and the ability to change those who are allowed to remotely access and even control the baby monitor. Researchers at security firm Rapid7 spent most of this 2015 testing nine models from eight different manufacturers, scoring them on a point scale which was then put into letter grades. Eight of the models received an F while only one scored a D.
Reports come just two weeks after a couple from Indiana reported someone had hacked into their baby monitor to play music along with “sexual noises.”
Researchers said that the vulnerabilities they uncovered could invade owners’ personal privacy alongside have the ability to target and expose executives of companies who may work from home and have these attached to their network.
“It is important to stress that most of the vulnerabilities and exposures discussed in this paper are trivial to exploit by a reasonably competent attacker, especially in the context of a focused campaign against company officers or other key business personnel,” Rapid7 said in a detailed report published Wednesday morning. “If those key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target—like the video baby monitors covered in this paper—can quickly provide a patch to compromise the larger, nominally external, organizational network.”
The reason Internet-connected baby monitors exist is to allow parents and relatives to easy view the live video feed of infants as the sleep, eat and play all from their smartphone or computer. Depending on how many monitors exist, the end-user can move from room to room. Researchers listed a number of reasons the baby monitors were easily hacked including hard-coded accounts with default passwords, unencrypted video and audio feeds, commands sent to the device are cleartext on the network, and the ability to gain unauthorized access through remote shells among similar interfaces exist. From Rapid7 themselves, a list of their findings (PDF):
1. The Philips In.Sight B120 establishes a direct connection to the camera’s backend web application onto the public Internet, unencrypted and unauthenticated. By brute forcing the possible hostname and port number combinations used by the third-party service provider, an attacker can locate an exposed camera and is able to watch the live stream, enable remote access (e.g. Telnet), or change the camera settings.
It is important to note that Philips N.V. has been the most responsive of the vendors we approached with the findings of this research and is currently working on a patch that will be made available to customers. The company’s vendor disclosure process is well established and clearly focused on ensuring its devices are safe for consumers. We applaud Philips’ commitment to fixing this vulnerability and their established protocol for handling incoming product vulnerabilities, which included using a documented PGP key to encrypt communications around this sensitive material.
2. The iBaby M6 has a web service issue that allows easy access to other people’s camera details by changing the serial number in a URL string. By abusing this access, filenames of a camera’s recorded video clips (automatically created from a motion or noise alert) can be harvested. Through a simple script, an attacker could potentially gain access to every recorded clip for every registered camera across the entire service.
3. The Summer Infant Baby Zoom Web service contains an issue where the method of adding an authorized viewer to the camera does not require any password or secret key for access to the feed. This means that by iterating through a user identifier on a URL, an attacker can add an e-mail address of their choice to every single camera and login at will to view the stream of any camera of their choosing.
Models reviewed during their testing include:
- Gyonii (GCW-1010) – $89.34
- iBaby (M3S) – $169.95
- iBaby (M6) – $199.95
- Lens (LL-BC01W) – $54.99
- Philips (B120/37) – $77.54
- Summer (28630) – $199.99
- TRENDnet (TV-IP743SIC) – $69.99
- WiFiBaby (WFB2015) – $259.99
- Withing (WBP01) – $204.60
Researchers continued on to state they believe a large majority of the Internet-connected baby monitors on the market today are vulnerable to the exact same set of vulnerabilities.
At one level, it’s hard to believe manufacturers would be so careless as to ship such intimate objects with such severe vulnerabilities, but at another, it’s really not. Often we see Apple, Google and Microsoft in a struggle to keep their security in-tact, it’s only standard for the new-network connected devices to take some time get a handle on their security as well.
What’s even more shocking is of when the manufactures were contacted with private reports detailing the vulnerabilities, only one replied, Philips, while no others cared to reply with details or if fixes were in the works.
Those who are in the market for baby monitors should look for those that are not Internet-connected, but if they are, ensure they are using encryption to protect the video and audio feeds. Rapid7 advises those who have purchased Internet-connected baby monitors to actively monitor the manufactures website for any security patches or similar.
“We advise individuals to use any camera that has not been fixed for identified issues or weaknesses sparingly—or preferably not at all—until the vendor is able to fully address identified problems,” security researchers wrote in an FAQ. “If a baby monitor allows a password to be changed, the device owner is highly encouraged to ensure that they do so and make a strong password to protect access.”