Parents rely on baby monitors to help them keep their kids safe—but it turns out that these staples of the young-family household have serious cybersecurity flaws—including those that allow hackers to spy on the household.
Rapid7 researchers uncovered critical vulnerabilities in three popular baby monitors, and a slew of other problems in others. In one, an attacker could locate an exposed camera and watch the live stream, enable remote access (e.g. Telnet) or change the camera settings. In another, an attacker could potentially gain access to every recorded clip for every registered camera across the entire service. And in the third, an attacker could add an e-mail address of their choice to every single camera, and login at will to view the stream of any camera of their choosing.
Further, in evaluating nine different devices from eight different vendors, Rapid7 found numerous security weaknesses and design flaws, like hardcoded credentials, unencrypted video streaming, and unencrypted web and mobile app functions.
Unfortunately, most of these vulnerabilities and exposures are “trivial” to exploit by a reasonably competent attacker, the researchers said in an analysis.
“The mentioned critical vulnerabilities are of a highly serious nature for camera owners of those devices, while additional security issues, especially related to remote access protocols that are exposed and featuring hardcoded credentials, can be risky depending on their network accessibility and a potential attacker’s vantage point to that device,” Rapid 7 noted. “Ultimately, all of the devices tested run a fully-fledged operating system and thus could be a powerful point of attack for purposes other than abusing the baby monitor’s intended functionality.”
All of this is especially concerning in the context of a focused campaign against company officers or other key business personnel, “as employees increasingly blur the lines between home networks and business networks through routine telecommuting and data storage on cloud resources shared between both contexts,” Rapid7 noted.
All the flaws have been reported to the manufacturers.