2 min read

Hacking these IoT baby monitors is child's play, researchers reveal

Graham CLULEY

February 23, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Hacking these IoT baby monitors is child's play, researchers reveal

You buy a baby monitor because you care about your young child’s safety, and want to protect them from danger.

But as more and more monitoring devices have embraced the internet, we run the risk of exposing our kids to strangers who may want to spy upon them, eavesdrop, and even chat.

Austrian security researchers have this week warned about the latest baby monitor affected by critical security vulnerabilities which raise very real privacy concerns.

The device in the spotlight is the Mi-Cam from miSafes, which describes itself as a “Wi-Fi remote video monitor for everyone”. It features a 720P HD video camera, two-way talk feature, and free local video recording – all controlled by a “user friendly” app for iPhone and Android smartphones.

According to the researchers from SEC Consult, the Mi-Cam also comes complete with outdated firmware which is vulnerable to numerous publicly known vulnerabilities. The upshot is that simply changing a single HTTP request can allow an attack to spy on a child’s nursery or talk to whoever is nearby.

In their analysis, the researchers focused their attention on the communications between the app, the monitor itself, and cloud infrastructure it replies upon. They found it lacking in a number of areas:

  1. Broken Session Management & Insecure Direct Object References
  2. Missing Password Change Verification Code Invalidation
  3. Available Serial Interface
  4. Weak Default Credentials
  5. Enumeration of user accounts
  6. Outdated and Vulnerable Software

And although the apps themselves were not the main interest of the researchers, they still found flaws. For instance, the Android app used to control the camera is also easily compromised:

“A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management.”

“This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.”

In a YouTube video, the researchers demonstrated how easy it was to hijack the Mi-Cam video monitor.

Now I can accept (but don’t like) that IoT devices may have vulnerabilities. I can even believe (but don’t like at all) that there are internet-enabled devices out there which are marketed at parents looking to protect their kids, and yet have failed to treat safety as a priority.

What really grates with me is the response the researchers have received from the makers of the Mi-Cam. Despite attempting to responsibly disclose the vulnerabilities to MiSafes since December 2017, and the Chinese Computer Emergency Response Team, so that they could be fixed as a matter of priority… all they have heard back is silence.

And that’s why the researchers have presented their findings this week at a cybercrime conference in Vienna, and gone public with their concerns.

Their view is that as the issues remain with the products, and there is no timeline for them to be fixed, their advice is that customers should keep the baby monitors offline until further notice.

The scary thing is that this is just the latest in a long line of IoT devices that have been found to fall short when it comes to privacy and security. There will, no doubt, be many more to come. Remember that next time you are buying a cheap IP camera on Amazon.

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read