It’s a bad week for connected parents: A South Carolina mom says a stranger hacked into her baby monitor to spy on her and her family. She shared the experience on Facebook after she noticed someone had taken control of the 360-degree motion feature and was moving the camera toward her bed to see if she was in it.
The South Carolina family’s $34 Fredi Wireless baby camera was hacked, which she discovered when the camera moved on its own, swiveling between her bed and the chair where she feeds her baby.
“My son is only three months old, and God knows what kind of images and videos out there of both of us and intimate moments,” Jamie Summitt told ABC News. “I feel guilty for not doing enough research on this. I didn’t know this was something I needed to look into. I thought baby monitors were kind of cut and dry. You find a baby monitor, you watch them napping, it was supposed to be a safety thing.”
After calling the North Charleston Police Department in, the monitor’s app locked up when a policemen came into the room, returning a message for “insufficient permissions.” Summit told ABC News that she suspects the “hacker ‘heard everything’ and ‘saw the officer.’”
“It sounds like the attacker totally pwned this device since they were able to practically ‘brick’ it when the police became involved,” Mike Banic, vice president at Vectra, said via email. “This makes me suspicious that someone has infected the supply chain in such a way that they have a persistent connection to the device that cannot be disrupted with a password change. The one recommendation for home IoT devices that don’t need Internet access is to put them on a network – wired or wireless – that doesn’t have Internet access. Checking on a baby from another room of the house doesn’t require Internet connectivity. This ‘air gap’ approach would ‘unplug’ the persistent connection that the attacker had to the baby cam.”
Summitt also said she chose a complex password to protect the camera – this is the typical attack vector, but in this case it wasn’t enough.
“The influx of inexpensive internet-connected camera products from China makes it extremely difficult for average consumers to evaluate anything beyond basic functionality,” Rick Moy, CMO at Acalvio, said in an email. “It is virtually impossible to understand let alone validate security features like strong passwords, secure protocols, and backend authorization and access controls. Where do the videos go? Who could have access to it? Is there any kind of third party assessment done? Vendors and Industry groups need to provide better transparency to these questions in order to earn customer trust.”
The manufacturer has not responded to public requests for comment, but the company is certainly not the only one affected by a lack of security controls.
Earlier this year, a raft of off-the-shelf devices (including baby monitors, home security cameras, doorbells and thermostats) were easily co-opted by cyber-researchers at Ben-Gurion University of the Negev (BGU). As part of their ongoing research into detecting vulnerabilities of devices and networks expanding in the smart home and IoT, the researchers disassembled and reverse engineered many common devices and quickly uncovered serious security issues.
“It is truly frightening how easily a criminal, voyeur or pedophile can take over these devices,” said Yossi Oren, a senior lecturer in BGU’s Department of Software and Information Systems Engineering and head of the Implementation Security and Side-Channel Attacks Lab at [email protected] “Using these devices in our lab, we were able to play loud music through a baby monitor, turn off a thermostat and turn on a camera remotely, much to the concern of our researchers who themselves use these products.”
Omer Shwartz, a Ph.D. student and member of Oren’s lab, added: “It only took 30 minutes to find passwords for most of the devices and some of them were found only through a Google search of the brand. Once hackers can access an IoT device, like a camera, they can create an entire network of these camera models controlled remotely.”