Baby monitor hacked to snoop on mother breastfeeding

IP cameras are back in the IoT security news. Shortly after researchers found remote control vulnerabilities in Foscam security cameras, a mother from South Carolina called police to report that a hacker was watching her breastfeed through a baby monitor.

Jamie Summitt had bought the $34 Fredi Wireless cam off of Amazon chiefly for its ability to pan 360 degrees and send the video feed to the family’s smartphones, even when they’re away from home, over WiFi.

“All of a sudden I noticed out of the corner of my eye that the camera was moving…and it was panning over to our bed. The exact spot that I breastfeed my son every day. Once the person watching realized I was not in bed, he panned back over to Noah asleep in his bassinet,” Summitt wrote on Facebook in a warning to all parents who rely on baby monitors to keep tabs on their children.

The device was apparently very easy to hack, even though Summitt swapped the default password for a complex one. The improved password doesn’t rule out a potential brute force attack, but it may point to a different attack route, such as a vulnerability in the camera itself.

When Summitt called the North Charleston Police Department, the monitor’s app locked up, returning the error message “insufficient permissions,” suggesting the hacker bailed out and bricked the device to erase any trail.

“I feel so violated,” the mother wrote. “This person has watched me day in and day out in the most personal and intimate moments between my son and I. I am supposed to be my son’s protector and have failed miserably. I honestly don’t ever want to go back into my own bedroom.”

As we’ve written in the past, one of the primary faults with low-end IoT devices (i.e. Chinese knockoffs) is that many of them roll out of the factory without proper security checks. Because of this, the UK has issued a proposal for IoT vendors to secure their products “by design,” similar to how the EU’s GDPR asks data custodians to secure their systems and processes “by design and by default.” The UK hopes to soon draft a law based on its proposal.