Snoops in the Crib: Insecure Baby Monitors Are Easy Targets

Ars Technica highlighted a regular nightmare for parents earlier this week:

9 baby monitors wide open to hacks that expose users’ most private moments

When the “Internet of Things” (IoT) first came up in class, our instructor joked that hackers like to call it by another name with the same acronym: the “Internet of Toys.” Many of these devices are trivially easy to play with.

As this article illustrates, baby monitors are a perfect example of companies riding the IoT wave without necessarily considering the consequences. If you buy a product that does not necessarily require an internet connection, but it touts “internet connectivity” as a feature, you had better do some real thorough background checks before plugging it into your home network. Chances are high that it will have a hardcoded backdoor administrator account, so anyone who finds its IP address can jump right in. Even if it doesn’t, the tendency of average consumers to never change the default password a device comes with is well-documented, meaning anyone who buys the same model of device (or finds its documentation online) can get in. And that’s assuming it has a password to change in the first place.

Check this quote from the full case study PDF:

The iBaby M6 has a web service issue that allows easy access to other people’s camera details by changing the serial number in a URL string.

Think about that for a second. This is a phenomenally simple security measure to circumvent. To put it in slightly more familiar terms, this is like if you wanted to view a video on YouTube, so you typed “https://www.youtube.com/watch?v=” and mashed eleven random characters on your keyboard after the equals sign to get a random video, except that random video has a chance of being a live feed of someone’s private home.

(Tangent: if you do decide to go attempting that exercise on YouTube, there is a non-zero chance that you will end up watching a recording of someone’s private home. There are a lot of accidentally uploaded videos that were probably never meant to be public out there, a phenomenon I was made aware of via the pioneering efforts of Jon Bois. Keymash at your own risk.)

This kind of system could be considered a very simple example of security through obscurity. Perhaps the designers of the camera figured that this security problem would never be exploited, because they assumed that their target market (parents) would not discover it, and potential attackers would be very unlikely to purchase a baby monitor.

The more likely explanation is less complicated: security was not a priority. It rarely is. But it needs to be.

Ultimately, if you want to buy a baby monitor camera today, you’re probably better off getting a simpler model that uses a radio signal to transmit the video feed. A quick search turns up plenty of results, most at a fraction of the price, and some with encryption to boot. Because even the most determined attacker is unlikely to get close enough to your home to plant a radio antenna, intercept the short-range feed, and do the necessary decryption. Assuming they won’t is another example of security through obscurity, and again, that’s not a good thing to lean on — but at least you know what you’re getting into.