A series of critical vulnerabilities in QiWo Mi-Cam Baby Monitors could allow threat actors to remotely connect to more than 52,000 cameras from anywhere in the world, potentially spying on you or your children.
Six vulnerabilities were discovered, ranging from insecure API calls, password change verification codes and exposed serial interfaces to hardcoded default credentials, incremental user account enumeration, and outdated firmware. Researchers from SEC Consult, though, failed to contact the smart device’s developer for reporting and submitting the vulnerabilities.
“Based on observed user identifier values extracted from the cloud API and Google Play store data, an estimated total number over 52000 user accounts and video baby monitors are affected (implying a 1:1 distribution of user accounts to video baby monitors),” reads the report. “Even worse, neither the vendor nor the CNCERT/CC could be reached for the coordination for our responsible disclosure process.”
Further investigation revealed that the same set of vulnerabilities could affect other vendors that offer seemingly identical baby monitors. Since all found vulnerabilities involved investigating the communication between the companion app, the actual device and the cloud infrastructure that the Android and iOS applications access, researchers estimate the number of vulnerable devices could be significantly higher than anticipated.
Although a spokesperson for QiWo did say they’re currently investigating the issue and they’re actually the ones responsible for pushing an update, the affected device is allegedly no longer in production, according to Forbes.
With cybercriminals potentially eyeballing you and your children’s activities within your home, these vulnerabilities pose serious security and privacy risks. Since no official patch is available nor an estimate on when it might hit devices, everyone that has one of the vulnerable baby monitors remains at risk.