Over the last few years, hackers have set their targets on Internet-connected baby monitors. They have hacked into baby monitors to scream at toddlers, to curse out their parents, and to turn them into spy cams. Earlier this year, a hacker put live feeds from a thousand baby monitors onto a site titled, “Big Brother is Watching You.” Just last week, an Indiana couple was freaked out by someone hacking into their 2-year-old’s baby monitor to play the Police’s “Every Breath You Take,” followed by “sexual noises.”
With all these intrusions in the rear view mirror, you’d think the baby monitor business would be kicking security into high gear, putting the digital equivalent of baby gates everywhere to keep hackers out. But when a security firm tested nine Internet-connected baby monitors, including some of the most widely-available models, it found problems with every single one, flaws that would allow creepy strangers to drop into nurseries digitally.
“Eight of the 9 cameras got an F and one got a D minus,” says security researcher Mark Stanislav of Rapid 7. “Every camera had one hidden account that a consumer can’t change because it’s hard coded or not easily accessible. Whether intended for admin or support, it gives an outsider backdoor access to the camera.”
Stanislav tested cameras from iBaby, Philips, TRENDnet, Summer Infant, Lens Laboratory, and Gynoii, choosing cameras that were available on Babies-R-Us, most popular on Amazon from a range of price points ($55-$260). Spending approximately 20 hours testing each camera, Rapid 7 found flaws considered trivial in the security community: Internet portals that used default passwords, Internet portals that easily allow you in if you guess the device’s serial or account number, and lack of encryption. In April, a Kansas woman with a Summer Infant baby monitor said someone used it to spy on her.
Rapid 7’s report included the flaws in various models:
TRENDnet has had issues in the past with its Internet-connected cameras getting hacked. As part of a 2014 Federal Trade Commission settlement, it was supposed to establish a “comprehensive information security program” to make sure its cameras didn’t let strangers creep into them. Rapid 7 has disclosed the vulnerabilities to the baby monitor companies in hopes that they’ll be fixed.
A spokesperson from iBaby says that the company has fixed the issue with authentication and encrypted the data sent from customers’ monitors and that customers need to update their iBaby app to have these changes take effect.
A Philips spokesperson says the product that Rapid 7 tested, though still available for sale from various outlets is a “discontinued version of a product manufactured and sold by the company.” Spokesperson Mario Fante says the product is now licensed to a new company, Gibson Innovations, and that it is “aware of the identified security vulnerabilities, and has been developing and implementing software updates for the affected discontinued version of the product.” That software update is supposed to be available this week.
“Whilst the security vulnerabilities are a concern and are being addressed, at this time we are not aware of any consumers who have been directly affected by this issue,” said Fante by email.
So what is a privacy-minded parent supposed to do when it comes to choosing a baby monitor? We don’t yet have a database for consumers that will tell them the security safety rating on a product, though respected hacker and researcher Peiter “mudge” Zatko is working on something like that.
“I’m a super popular person with pregnant women right now,” said Stanislav by phone. “Everyone is asking me about which baby monitor they should buy.”
If someone wants an Internet-connected camera for baby monitoring, Stanislav recommends Nestcam, formerly known as Dropcam, a product from Google-owned Nest. It’s stood up to security tests (though it might let the police into your home). “I’ve got a lot of faith in it and use it,” said Stanislav who noted that Dropcam’s partnered with BuildItSecurely to have its products worked over by security researchers.
Stanislav himself has a baby on the way, and says he plans to use an old-fashioned radio frequency-based baby monitor, that will only allow for monitoring within a limited radius of where the baby is located. It too could be hacked, say if someone hung outside the house with a sniffing device to intercept the radio signal, but Stanislav isn’t as worried about that.
“There’s risk to radio-frequency cameras, but it’s the Internet versus people in my neighborhood,” said Stanislav. “It’s within the realm of possibility that it will be hacked but the odds that a creepy person in my neighborhood has that talent is considerably less than someone on the Internet having the skills.”
Updated Sept. 3 with comment from iBaby Labs