New study indicates baby monitors lack cyber-security protections

Poor cyber-security in baby cameras gift hackers with personal videos and audio feeds into what occurs in people's homes.

Poor cyber-security in baby cameras is a gift to hackers
Poor cyber-security in baby cameras is a gift to hackers

A new report indicates that many internet-connected baby monitors don't have basic cyber-security protections that can prevent hackers from accessing live video feeds.

Poor cyber-security in baby cameras has been known to cause a large violation of privacy by gifting hackers with personal videos and audio feeds into what goes on in people's homes.

Mark Stanislav, senior security consultant at Rapid7, tested baby cameras from eight different manufacturers and delivered failing grades to all but one. The monitor that did pass wasn't much better than the rest according to him and scarcely made the cutoff to pass.

A major issue that Stanislav says he encountered in many of the devices was that they do not encrypt video feeds. He also noted that several of the baby monitors had hidden accounts and passwords hard coded into the devices. If an attacker compromised those accounts, they could obtain a secret access point to take control of the camera.

Three of the cameras had blatant security dilemmas. One places a live stream of video onto the internet without the requirement of an account or password for protection. Another uses a web service that collects clips of the baby. It requires a password, but Stanislav says anyone logged in can see any other user's video by simply typing in an easily-guessed user ID into the web address. The third camera requires no authentication to authorise new users to view camera feeds.

Stanislav says the prices of the monitor made no difference in the cyber-security protection that it offered. One of the cheaper baby monitors was the only monitor to which he felt earned a passing grade.

While some of the discovered flaws in the smart cameras were actually the fault of out-of-date, third-party operating systems or other devices, a majority of the devices also contained previously unreported vulnerabilities. 

Some companies are aware of the Rapid7 report, and are either investigating the issues raised or do not agree with Stanislav's security ranks.

While Stanislav feels a number of the devices he researched are incapable of repair, he does believe there are some common security practices users can embrace to help prevent snoops from listening in. He recommends using a cellphone internet connection since monitors with unencrypted video are most hackable when users watch video from public WiFi networks. He also recommends to always turn off the cameras when not in use.

Bryan Lillie, chief technical officer, cyber-security, QinetiQ, comments, “We are still a long way from makers of connected devices appreciating the security risks, let alone users appreciating them. Expect to see a lot more of these flaws exposed over the next couple years – hopefully by researchers rather than hackers.”