Security firm Rapid7 discovered that nine Internet-connected baby monitors, including Gyonii (GCW-1010), iBaby (M3S), iBaby (M6), Lens (LL-BC01W), Philips (B120/37), Summer (28630), TRENDnet (TV-IP743SIC), WiFiBaby (WFB2015), Withing (WBP01), are all insecure and easy to hack into.
Security flaws within the baby monitors allow hackers half way around the world to monitor live video feeds, change camera settings, garner video clips stored online, and make an infinite number of additions to the list of users authorized to view and control the monitor.
Experts at Rapid7 spent majority of 2015 reviewing the baby monitors, grading them on a 250-point scale for overall security, and then translating the scores into alphabetic grades. Eight of the baby monitors received an F and one received a D, in a report that was published just a week after an Indiana couple stated that someone hacked into their 2-year-old’s baby monitor and played the Police’s “Every Breath You Take” and “sexual noises.”
The research completed by the Rapid7 team highlights one of the many examples of poor security in the realm of Internet-connected gadgets known as the “Internet of Things.” The term includes everyday devices ranging from smart thermostats to Internet-connected refrigerators, or any gadget that has computing and networking capabilities in them.
The Rapid7 experts focused on baby monitors because they are frequently used and underscore the personal use that IoT can serve. Other than exposing personal information, the security faults could prove valuable to attackers who target executives that may work from home or access baby monitors from work.
Some of the security weaknesses reviewed in the study include: hard-coded accounts with default passwords, encrypted video and audio feeds, commands sent over the Internet, and the ability to gain control through remote shells. Here is an example of what they found:
1. The Philips In.Sight B120 establishes a direct connection to the camera's backend web application onto the public Internet, unencrypted and unauthenticated. By brute forcing the possible hostname and port number combinations used by the third-party service provider, an attacker can locate an exposed camera and is able to watch the live stream, enable remote access (e.g. Telnet), or change the camera settings.
It is important to note that Philips N.V. has been the most responsive of the vendors we approached with the findings of this research and is currently working on a patch that will be made available to customers. The company’s vendor disclosure process is well established and clearly focused on ensuring its devices are safe for consumers. We applaud Philips’ commitment to fixing this vulnerability and their established protocol for handling incoming product vulnerabilities, which included using a documented PGP key to encrypt communications around this sensitive material.
2. The iBaby M6 has a web service issue that allows easy access to other people's camera details by changing the serial number in a URL string. By abusing this access, filenames of a camera’s recorded video clips (automatically created from a motion or noise alert) can be harvested. Through a simple script, an attacker could potentially gain access to every recorded clip for every registered camera across the entire service.
3. The Summer Infant Baby Zoom Web service contains an issue where the method of adding an authorized viewer to the camera does not require any password or secret key for access to the feed. This means that by iterating through a user identifier on a URL, an attacker can add an e-mail address of their choice to every single camera and login at will to view the stream of any camera of their choosing.
Consumers should be aware that baby monitors and other Internet-connected devices will not tell you if they’re at risk. Even if you’re doing everything correctly, security still is not guaranteed.
“There's almost no way you as a consumer will ever know,” Mark Stanislav, a senior security consultant at Rapid7 who conducted the research, said.
For those looking to buy a baby monitor, you may want to consider something like this, as it is not connected via Internet and uses encryption to protect the video and audio stream sent between the camera and a dedicated handset.
Source: ArsTechnica
Advertisement
Learn more about Electronic Products Magazine
