2 min read

Hacking these IoT baby monitors is child's play, researchers reveal

Graham CLULEY

February 23, 2018

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Hacking these IoT baby monitors is child's play, researchers reveal

You buy a baby monitor because you care about your young child’s safety, and want to protect them from danger.

But as more and more monitoring devices have embraced the internet, we run the risk of exposing our kids to strangers who may want to spy upon them, eavesdrop, and even chat.

Austrian security researchers have this week warned about the latest baby monitor affected by critical security vulnerabilities which raise very real privacy concerns.

The device in the spotlight is the Mi-Cam from miSafes, which describes itself as a “Wi-Fi remote video monitor for everyone”. It features a 720P HD video camera, two-way talk feature, and free local video recording – all controlled by a “user friendly” app for iPhone and Android smartphones.

According to the researchers from SEC Consult, the Mi-Cam also comes complete with outdated firmware which is vulnerable to numerous publicly known vulnerabilities. The upshot is that simply changing a single HTTP request can allow an attack to spy on a child’s nursery or talk to whoever is nearby.

In their analysis, the researchers focused their attention on the communications between the app, the monitor itself, and cloud infrastructure it replies upon. They found it lacking in a number of areas:

  1. Broken Session Management & Insecure Direct Object References
  2. Missing Password Change Verification Code Invalidation
  3. Available Serial Interface
  4. Weak Default Credentials
  5. Enumeration of user accounts
  6. Outdated and Vulnerable Software

And although the apps themselves were not the main interest of the researchers, they still found flaws. For instance, the Android app used to control the camera is also easily compromised:

“A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management.”

“This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.”

In a YouTube video, the researchers demonstrated how easy it was to hijack the Mi-Cam video monitor.

Now I can accept (but don’t like) that IoT devices may have vulnerabilities. I can even believe (but don’t like at all) that there are internet-enabled devices out there which are marketed at parents looking to protect their kids, and yet have failed to treat safety as a priority.

What really grates with me is the response the researchers have received from the makers of the Mi-Cam. Despite attempting to responsibly disclose the vulnerabilities to MiSafes since December 2017, and the Chinese Computer Emergency Response Team, so that they could be fixed as a matter of priority… all they have heard back is silence.

And that’s why the researchers have presented their findings this week at a cybercrime conference in Vienna, and gone public with their concerns.

Their view is that as the issues remain with the products, and there is no timeline for them to be fixed, their advice is that customers should keep the baby monitors offline until further notice.

The scary thing is that this is just the latest in a long line of IoT devices that have been found to fall short when it comes to privacy and security. There will, no doubt, be many more to come. Remember that next time you are buying a cheap IP camera on Amazon.

tags


Author



Right now

Top posts

How to monitor your online privacy during your Thanksgiving trip

How to monitor your online privacy during your Thanksgiving trip

November 22, 2022

3 min read
Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

Just your yearly dose of Black Friday spam: Cybercrooks get ahead of the game to steal shoppers’ info

November 16, 2022

6 min read
Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

Bitdefender VPN in 2022: the new, the improved, and the soon-to-be

November 14, 2022

5 min read
August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August Spam Debrief: Bitdefender Labs Warns of Fraud Campaigns Exploiting the Russia-Ukraine War

August 31, 2022

4 min read
Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

Snake Keylogger Returns in Malspam Campaign Disguised as Business Portfolio from IT Vendor

August 30, 2022

2 min read
What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

How to keep your Android device immune to malicious vaccine themed apps How to keep your Android device immune to malicious vaccine themed apps
Cristina POPOV

April 22, 2021

2 min read
Facebook Takes Down Two Hacking Groups Operating out of Palestine Facebook Takes Down Two Hacking Groups Operating out of Palestine
Silviu STAHIE

April 22, 2021

2 min read
Ransomware attack causes supermarket cheese shortage in the Netherlands Ransomware attack causes supermarket cheese shortage in the Netherlands
Graham CLULEY

April 13, 2021

2 min read