Hacking these IoT baby monitors is child's play, researchers reveal

You buy a baby monitor because you care about your young child’s safety, and want to protect them from danger.

But as more and more monitoring devices have embraced the internet, we run the risk of exposing our kids to strangers who may want to spy upon them, eavesdrop, and even chat.

Austrian security researchers have this week warned about the latest baby monitor affected by critical security vulnerabilities which raise very real privacy concerns.

The device in the spotlight is the Mi-Cam from miSafes, which describes itself as a “Wi-Fi remote video monitor for everyone”. It features a 720P HD video camera, two-way talk feature, and free local video recording – all controlled by a “user friendly” app for iPhone and Android smartphones.

According to the researchers from SEC Consult, the Mi-Cam also comes complete with outdated firmware which is vulnerable to numerous publicly known vulnerabilities. The upshot is that simply changing a single HTTP request can allow an attack to spy on a child’s nursery or talk to whoever is nearby.

In their analysis, the researchers focused their attention on the communications between the app, the monitor itself, and cloud infrastructure it replies upon. They found it lacking in a number of areas:

1. Broken Session Management & Insecure Direct Object References
2. Missing Password Change Verification Code Invalidation
3. Available Serial Interface
4. Weak Default Credentials
5. Enumeration of user accounts
6. Outdated and Vulnerable Software

And although the apps themselves were not the main interest of the researchers, they still found flaws. For instance, the Android app used to control the camera is also easily compromised:

“A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management.”

“This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.”

In a YouTube video, the researchers demonstrated how easy it was to hijack the Mi-Cam video monitor.

Now I can accept (but don’t like) that IoT devices may have vulnerabilities. I can even believe (but don’t like at all) that there are internet-enabled devices out there which are marketed at parents looking to protect their kids, and yet have failed to treat safety as a priority.

What really grates with me is the response the researchers have received from the makers of the Mi-Cam. Despite attempting to responsibly disclose the vulnerabilities to MiSafes since December 2017, and the Chinese Computer Emergency Response Team, so that they could be fixed as a matter of priority… all they have heard back is silence.

And that’s why the researchers have presented their findings this week at a cybercrime conference in Vienna, and gone public with their concerns.

Their view is that as the issues remain with the products, and there is no timeline for them to be fixed, their advice is that customers should keep the baby monitors offline until further notice.

The scary thing is that this is just the latest in a long line of IoT devices that have been found to fall short when it comes to privacy and security. There will, no doubt, be many more to come. Remember that next time you are buying a cheap IP camera on Amazon.