Ever since wireless or Internet-connected home baby monitors and security systems became commonplace, there have been equally commonplace warnings about how easily hackers can break into these systems.
There even exist voyeurism websites dedicated to streaming or archiving camera footage from unprotected Internet protocol (IP) cameras – almost always without the camera owners' knowledge. Last April, for example, a Minnesota family learned this the hard way after they discovered that hackers had hijacked the “nanny cam” in their baby's room – and posted surreptitious baby photos on a foreign website.
Yet recent research by the Rapid7 cybersecurity firm suggests that the majority of home baby monitors on the market today remain extremely vulnerable to hack attacks. Rapid7's white-hat hackers were successfully able to exploit vulnerabilities in nine different models of baby monitor. Worse yet, many of those vulnerabilities are inherent to their systems – meaning that even security-conscious and tech-savvy users cannot fix them. Mark Stanislav and Tod Beardsley co-wrote Rapid7's report, which is available as a .pdf here.
Increased hacking threat
Most baby-monitor-hacking stories emphasize the obvious privacy threats to the baby and others in the house. But Stanislav and Beardsley, in their executive summary, pointed out that the threat stretches much farther than that:
While Rapid7 is not aware of specific campaigns of mass exploitation of consumer-grade IoT [Internet of things] devices, this paper should serve as an advisory on the growing risk that businesses face as their employees accumulate more of these interconnected devices on their home networks. This is especially relevant today, as employees increasingly blur the lines between home networks and business networks through routine telecommuting and data storage on cloud resources shared between both contexts.
In other words: any Internet connection, or device with one, has the potential to be hacked. And if a hacker successfully breaches security for one of your Internet-connected devices, there's a good chance he can piggyback from there to breach the security of anything else connected to it.
So let's say a hacker secretly breaches your baby-cam or other home-security network. You then use your smartphone to watch camera footage while you're out running errands; now the hacker can get into your smartphone. And when you use the phone to check your messages at work, that gives the hackers access to your corporate network, so your personal, private hacking problem might now place the entire company you work for at risk.
Though the risk to your family is bad enough. Just last week, an unknown hacker used a breached baby monitor to harass a family in Indianapolis. Jared Denman said that his wife was playing with their two-year-old daughter when the baby monitor suddenly started playing music: the 1980s creepy-stalker anthem “Every Breath You Take,” by The Police. Once the hacker realized he had the mother's attention, he started making “sexual noises” over the speaker. Turns out the Denmans, like many baby-monitor buyers, had made the mistake of not changing the system's factory-set username and passwords, which meant anyone who knew them could break in.
Monitoring devices fail security test
Yet even consumers savvy enough to avoid such obvious mistakes still can't be certain their privacy is protected when there's a baby monitor in the house. When Rapid7 tested nine different models of baby monitors, said Mark Stanislav, “Eight of the 9 cameras got an F and one got a D minus. Every camera had one hidden account that a consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”
The tested baby monitors included various models produced by Gyonii, Philips, Lens Peek-a-view, Summer Baby Zoom, TRENDnet, WiFiBaby, Withing, and iBaby. A chart on page 7 of Rapid7's report (page 9 of the online .pdf) lists the vulnerabilities found in each specific model.
Some security flaws were more glaring than others. The Philips In.Sight model, according to Stanislav, streams live video onto the Internet without so much as requiring a password or account to protect it. With Summer Baby Zoom, the researchers learned, there's no authentication process to allow new viewers to see specific camera feeds; anyone who wishes to can simply add themselves.
According to the timelines in Rapid7's report, the researchers informed various vendors of these security flaws in early July. Yet Stanislav said that of all the companies he contacted, Philips was the only responsive vendor.
Protect your privacy
While the vulnerabilities exposed byRapid7 can't be entirely eradicated, there are ways users can reduce the possibility of electronic eavesdropping. For example, unencrypted video files or other data is most vulnerable to hacking when viewed over a public WiFi network, so if you must remotely view unencrypted video, Stanislav recommends using a cell phone Internet connection instead.
Parents should also keep baby monitors unplugged when they're not in use, use secure passwords, change them frequently, and make sure the device's software is always up-to-date. You might also consider setting up a search-engine email alert so that you are notified anytime a news story mentioning your model of baby monitor gets published; if new security flaws or fixes are announced, that would probably be the quickest, easiest way to ensure you hear about it.