“I sat down to feed her and the camera turned to focus on us.”
It’s October, and this seems like a voice-over in a trailer for a new Halloween film geared to strike terror into every new parent’s heart. But that’s what actually happened to one mom in Oz, who was sitting there with her baby in the nursery, a space designed to be safe and loving and comforting, when a baby-monitor camera, seemingly of its own volition, swiveled around to find a target—and upon spying her, proceeded to follow her as she moved around the room.
“After I changed her nappy, I sat down to start feeding her and the camera turned and focused straight on us,” Emma McCarthy told the local Sydney news.
Creepy, creepy, creepy. But there are other ways to describe this: Shooting fish in a barrel. “All too easy”, a la the Emperor in Star Wars. Candy from a baby. You catch the drift.
Hackers find compromising IoT devices like baby monitors one of the lowest-hanging fruits out there, and despite the mega-invasive aspect of attacks like this, it’s all too common for manufacturers to forget to build in decent security.
Cesare Garlati, chief security strategist at the prpl Foundation, said that vendors, for their part, could and should be doing a heck of a whole lot more.
“This baby-monitor hack is an invasion of privacy and should be used as an example for developers to implement security by separation at the hardware layer of the device,” he said via email. “Hardware is the key to making security, which is seriously flawed in IoT, more robust in connected devices. However, until this is rectified, consumers should understand the risks associated with such devices.”
This particular incident has Australian parents panicking, according to the Daily Mail. But indeed, consumers get lazy and don’t change default passwords—even when the privacy of their precious bundle of joy is at stake. And incidents like these beg the question: In what situation would you need to stream your children’s bedroom to the web?
That’s an especially piquant query given that this kind of psychotic privacy-invading happening is nothing new. All the way back in 2014, news broke that hundreds of feeds from baby monitors, CCTV cameras and webcams from UK homes and businesses had been hacked and uploaded onto a Russian website. Anyone could visit the site and find a random kid’s room to tune into.
“The Russian site currently shows what is believed to be a child’s bedroom in Birmingham, a gym in Manchester, an office in Leicester, and a shop interior in London, among others,” UK newspaper the Independent reported at the time.
It truly is the stuff of nightmares—but avoidable ones. Until manufacturers get IoT security right (if they ever do), how about not transmitting your kid’s bedroom out onto the internet, hmm? Disabling the connectivity or changing the password isn’t that hard.