Baby Monitors Expose Kids Worldwide
IoT baby monitors STILL revealing live streams of sleeping kids
The hacker that rocks the cradle
3 Sep 2015, John Leyden
Internet-connected baby monitors are riddled with security flaws that could broadcast live footage of your sleeping children to the world and his dog, according to new research.
Mark Stanislav, a security researcher at Rapid7, discovered numerous security weaknesses and design flaws after evaluating nine different devices from eight different vendors. Security flaws included hidden, hardcoded credentials, unencrypted video streaming, unencrypted web and mobile app functions, and much more.
Isolated real-world reports of hacking of baby monitors date back at least two years, so it’s not as if the problem is new.
Last year privacy watchdogs at the ICO warned parents to change the default passwords on webcams to stop perverts snooping on kids.
The warning followed a security flap created by the site, hosted in Russia, that streamed live footage ranging from CCTV networks to built-in cameras from baby monitors. The website itself – insecam.cc – accesses the cams using the default login credentials, which are freely available online for thousands of devices.
Nearly a year later it’s still easy for miscreants to access streaming video footage from baby monitors, Rapid7 has discovered.
Three popular baby monitors were found to each have a critical vulnerability impacting their overall security.
The three critical issues would allow:
- A hacker to locate an exposed camera and watch the live stream, enable remote access (e.g. Telnet), or change the camera settings
- A flaw that created a means for an attacker to gain access to every recorded clip for every registered camera across an entire service
- A bug that meant a hacker could add an arbitrary email address of their choice to every single camera. Thereafter, a hacker could login at will to view the stream of any camera of their choosing
Ten vulnerabilities reported to affected vendors by Rapid7 were disclosed at the High Technology Crime Investigation Association (HTCIA) conference on Tuesday, 2 September. Computer Emergency Response Teams were kept abreast of the flaws.
Flaws were found in the iBaby M6 and iBaby M3S from iBaby Labs; Philips In.Sight from Philips Electronics; the Summer Baby Zoom WiFi Monitor & Internet Viewing System from Summer Infant; Lens Peek-a-View from Lens Laboratories; the Gynoii from Gynoii, Inc; and TRENDnet WiFi Baby Cam TV-IP743SIC from TRENDnet.
The Philips In.Sight B120, iBaby M6 and Summer Infant Baby Zoom all left live streams easily hackable because of a lack of authentication or other security controls.
These critical vulnerabilities are particularly bad news for parents who rely on affected devices. The other security issues raised, especially those related to exposed remote access protocols and featuring hardcoded credentials, can be risky depending on their network accessibility, Rapid7 warns.
All of the tested devices run a fully-fledged operating system and therefore offer a point of attack for purposes other than abusing the baby monitor’s intended functionality.
Rapid7 told affected manufacturers and US-CERT about the bugs it found back in early July, but many of vulnerabilities remain unpatched two months later.
Vendors exhibited widely varied responses to the reported problems, as a white paper (pdf) from Rapid7 explains.
During the course of the vulnerability disclosure process, we saw vendors exhibit the entire range of possible responses. One vendor was impossible to contact, having no domain or any other obvious internet presence beyond an Amazon store listing.
Some vendors did not respond to the reported findings at all. Others responded with concerns about the motives behind the research, and were wondering why they should be alerted or why they should respond at all.
On the exemplary side, one vendor, Philips N.V., had an established protocol for handling incoming product vulnerabilities, which included using a documented PGP key to encrypt communications around this sensitive material.
Philips was also able to involve upstream vendors in pursuing solutions to those technologies provided by others. Weaved, a provider of an IoT-in-the-cloud framework for Philips, was especially open with and responsive to the authors of this paper.
Rapid7 has published more details of its research (and further background material) on its Internet of Things microsite. ®
Some top baby monitors lack basic security features: Report
Wednesday, 2 Sep 2015 The Associated Press
Several of the most popular Internet-connected baby monitors lack basic security features, making them vulnerable to even the most basic hacking attempts, according to a new report from a cybersecurity firm.
The possibility of an unknown person watching their baby's every move is a frightening thought for many parents who have come to rely on the devices to keep an eye on their little ones. In addition, a hacked camera could provide access to other Wi-Fi-enabled devices in a person's home, such as a personal computer or security system.
The research released Wednesday by Boston-based Rapid7 looks at nine baby monitors made by eight different companies. They range in price from $55 to $260.
The cameras are often mounted over a baby's crib or another place where they spend a large amount of time. They work by filming the child, then sending that video stream to a personal website or an app on a smartphone or tablet. Some of the cameras also feature noise or motion detectors and alert parents when the baby makes a sound or moves.
The Rapid7 researchers found serious security problems and design flaws in all of the cameras they tested, says Mark Stanislav, a senior security consultant at Rapid7 and one of the report's authors.
Some had hidden, unchangeable passwords, often listed in their manuals or online, that could be used to gain access. In addition, some of the devices didn't encrypt their data streams, or some of their web or mobile features, Stanislav says.
The problems with the cameras highlight the security risks associated with what's become known as the "Internet of things." Homes are becoming increasingly connected, with everything from TVs to slow cookers now featuring Wi-Fi connections. But many consumer devices often don't undergo rigorous security testing and could be easy targets for hackers.
And if a hacker has access to one connected device, he or she could potentially access everything tethered to that home's Wi-Fi network, whether it's a home computer storing personal financial information or a company's computer system that's being accessed by an employee working from home.
In the Rapid7 study, researchers rated the devices' security on a 250-point scale. The scores then received a grade of between "A" and "F." Of those tested, eight received an "F," while one received a "D." All of the camera manufactures were notified of the problems earlier this summer and some have taken steps to fix the problems.
For example, researchers noted that the Phillips In.Sight B120 baby monitor, which retails for about $78, had a direct, unencrypted connection to the Internet. That could allow a hacker watch its video stream online, as well as remotely access the camera itself and change its settings, the report says.
Phillips NV released a statement noting that the model in question has been discontinued. It added that its brand of video baby monitors is now licensed to Gibson Innovations, which is aware of the problems and it working on a software update designed to fix it.
The researchers also tested the iBaby and iBaby M3S, Summer Baby Zoom WiFi Monitor & Internet Viewing System, Lens Peek-a-View, Gynoii, TRENDnet WiFi Baby Cam TV-IP743SIC, WiFiBaby WFB2015 and Withing WBP01.
Higher camera prices didn't translate to higher levels of security. In fact, the pricier models usually came with more features, which left unsecured could give hackers more ways to potentially access a camera or its video stream, Stanislav says.
In order to protect themselves, consumers should keep an eye out for any camera or mobile application updates. In addition, if parents still want to use a camera that's known to be susceptible to hackers, they should use it sparingly and unplug it when it's not in use, Stanislav says
Image by The Register/MedGizmo