Despite Reports of Hacking, Baby Monitors Remain Woefully Insecure 109
itwbennett writes: Researchers from security firm Rapid7 have found serious vulnerabilities in nine video baby monitors from various manufacturers. Among them: Hidden and hard-coded credentials providing local and remote access over services like SSH or Telnet; unencrypted video streams sent to the user's mobile phone; unencrypted Web and mobile application functions and unprotected API keys and credentials; and other vulnerabilities that could allow attackers to abuse the devices, according to a white paper released Tuesday. Rapid7 reported the issues it found to the affected manufacturers and to US-CERT back in July, but many vulnerabilities remain unpatched.
Marketplace Justice (Score:5, Insightful)
Would be nice if there were an organization like UL Underwriters for network security, call it Network Underwriters Themed, Security Assured Credentials -- NUTSAC for short.
Silliness aside, until manufacturers have to pay the price in the marketplace for their crappy wares, they won't bother to do it right.
--
Everything in the Universe sucks: It's the law!
Re: (Score:3)
The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.
Thus in the future with IoT, we will soon see a lot of stuff, the current small scale thing is just the beginning.
In the long run I expect there will be laws and liabilities, but that is still a long way off at this point.
Re: (Score:1)
The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.
Thus in the future with IoT, we will soon see a lot of stuff, the current small scale thing is just the beginning.
In the long run I expect there will be laws and liabilities, but that is still a long way off at this point.
Laws will happen. Just as soon as the first death is caused by a hack (or a hack gone wrong). However indirectly. That's what it takes for average people, and thus their representatives, to pay attention and figure out that something actually does matter. Then it will be a CRISIS! and we must do something NOW!
Ouch (Score:3)
Laws will happen. Just as soon as the first death is caused by a hack (or a hack gone wrong). However indirectly. That's what it takes for average people, and thus their representatives, to pay attention and figure out that something actually does matter. Then it will be a CRISIS! and we must do something NOW!
And that's the worst part of the problem. Because they won't fix security problem, they will make it illegal to install custom rom to any wireless device.
Re: (Score:1)
The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.
Laws will happen. Just as soon as the first death is caused by a hack (or a hack gone wrong).
Am I the only one who remembers when products like baby monitors worked by RF broadcast? It used to be anyone could turn their radio to 88.7, their TV to channel 4, or whatever frequency was being broadcast, and listen in. Anyone with the same brand of monitor could pick up neighboring signals (in the unlikely event you'd both bought the same one), and they rarely even offered so much as a choice of 'channel A' vs 'channel B'.
Sure, the old systems required physical proximity. Maybe the new network connec
Re: (Score:2)
Different needs (legitimate?) (Score:2)
I have a RF audio-only baby monitor. Our house is quite big, and during our twins' first ~three months, it was hard to hear them from a different room. After the fourth month (they are six months old now), we haven't bothered to connect the monitor again, as their lungs are strong enough for us to hear whatever happens.
And yes, we mainly used our monitor to quickly go check on them, to make the distress time as small as possible.
Now, continuously streaming a video feed of my babies over the Internet... What
Re: (Score:2)
Now, continuously streaming a video feed of my babies over the Internet... What good would that be for? Maybe only for me to ensure a hypothetical nanny didn't abandon or mistreat them while I'm at work
looks like you answered your own question huh?
— But I'd have to be always on watch!
maybe you see them crying. and you check 10 minutes later and they are still crying. there you go.
Re:Marketplace Justice (Score:5, Insightful)
Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.
The problem is the consumer doesn't know how easy it is for someone that is not them to access their camera. And you'll see immediate change because it's all about the kids.
What needs to happen is media attention
Re: (Score:1)
Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.
The problem is the consumer doesn't know how easy it is for someone that is not them to access their camera. And you'll see immediate change because it's all about the kids.
What needs to happen is media attention
Or people could do something unusual and inform themselves. They will find a way to do that, if the kids are really so important. If not, it'll be someone else's job, perhaps the legislators' job.
Re: (Score:2)
I'm a bit surprised the CSI:Cyber episide about the people hacking baby monitors, kidnapping, and selling babies didn't get people thinking.
Re: (Score:2)
Is that show getting a second season?
Re: (Score:2)
Yes, it is. Ratings were good.
Beneath the animations meant to depict hacking and the totally unnecessary 3d displays and such, they have the fundamental truth right. Hackers really can get in to that stuff that easily and they really could cause big problems.
Re: (Score:1)
That's totally made up. It would never happen IRL.
Re: (Score:2)
Perception is king. The facts don't matter much.
Agreed, that PARTICULAR story line isn't going to happen. However, the starting fact that baby monitors have practically no security is true.
Re: (Score:2)
I guess you must find yourself disturbed much of the time then.
Re: (Score:3)
Until someone manages to get on TV and show how easy it is to spy on children that way
Well, I know that I stay awake at night worrying that the neighbors are watching my kids sleep. That is a parent's worst nightmare.
Re: (Score:2)
Finally someone on here who has kids. If you want to watch my youngest creepy as fuck arguments with the empty air you go right ahead!
Re: (Score:2)
Re: (Score:2)
Bingo. So someone can hack the monitor and listen to my baby sleep or not sleep. Or even watch him sleeping. What exactly is the threat? What information can they really gain that is of use? That the sheets are green instead of blue?
They can see and hear a lot of details of activity inside the house, not just the baby. Whatever is in range of the camera and microphone.
Re: (Score:2)
They can see and hear a lot of details of activity inside the house, not just the baby. Whatever is in range of the camera and microphone.
Again, what's the threat? It's creepy, yes, but you have to be within about 50' of the house to pick up the baby monitor (maybe a little further with a high gain antenna). That's either in the middle of the street or a neighbor's yard. Someone who is that close can tell if anyone is home anyway. And anyone just loitering outside my home, in my yard, or in a neighbor's yard in the middle of the night is probably going to have some questions to answer before too long.
Random kidnappings, especially ones in
Re: (Score:2)
So, you're home in the evening and your wife calls "Hey, honey, can you give me the credit card number for something I'm buying online?" and you tell her the number. The baby monitor hears.
That's just one example, and not a particularly scary one. Use your imagination. It's not just about whether or not you're home, it's about what information is available inside your house that you don't want shared with random listeners.
Re: (Score:2)
So, you're home in the evening and your wife calls "Hey, honey, can you give me the credit card number for something I'm buying online?" and you tell her the number. The baby monitor hears.
They can get that far quicker and easier by rummaging through your trash. Or they can get a job at the Mall, and record dozens of CC numbers every day.
Re: (Score:2)
Re: (Score:2)
So... there is nothing that a microphone could pick up in your house that you wouldn't want overheard?
that's right, nothing. i guess i'd prefer it if i wasn't overheard, but i'm not willing to spend taxpayer money and introduce even more complexity in an already ridiculous spider's web of laws.
people need to understand that you are (almost) all boring nobodies. no one wants to listen to you. no one gives a crap that you even exist. you own nothing worth stealing, and there's no information you posses that's in the least bit interesting.
it's all narcissism. people think they are so special that someone would
Re: (Score:2)
So, let's summarize: In order to maybe(!) be able to clearly near an entire credit card number and expiration date clearly, over a baby monitor**, someone has to be in your street or neighbor's yard for hours on end (if not days) holding an antenna in full view of any and all neighbors, listening intently, and hoping that the numbers are enunciated loudly and clearly enough, all while standing close enough to the baby's crib (where the mic is). Oh... and our burglar would have to know that the victim family
Re: (Score:2)
You're missing the point. Credit card numbers were just one example. Unless you're comfortable broadcasting everything that goes on in your house, this is an issue.
Also, there's no need to actually have a person sit in full view of anyone. Just hide a repeater in the shrubbery.
Re: (Score:2)
Have you any idea how fucking dumb and contrived that scenario is? Seriously, do you?
^^^^ this.
Re: (Score:2)
You're missing the point. Credit card numbers were just one example. Unless you're comfortable broadcasting everything that goes on in your house, this is an issue.
could you give some examples of what might be going on in a house that would make it worthwhile for a hacker to risk trespassing, incur the cost of leaving surveillance equipment on your property and risk it being destroyed or discovered, and spend their time placing the equipment, retrieving the equipment, then spending countless hours reviewing the data looking for something useful?
any type of information that could be discovered in this manner would be much more efficiently stolen via breaking in or simp
Re: (Score:2)
Such critical information.
People use baby monitors to enable them to close doors so
Re: (Score:2)
The default gain may be poor, but it might be adjustable; it wouldn't surprise me at all if developers who were lax enough to not bother encrypting the feed also provided a low-level control interface over the same channel. It would be really convenient for debugging.
Even that doesn't really matter that much... do you really want a microphone in your house broadcasting what it hears? Exactly how much it hears may depend on where you are, what doors are open or closed, etc., but are you really sure it's ne
Re: (Score:2)
http://www.telegraph.co.uk/tec... [telegraph.co.uk]
It has happened, it could happen to anyone. But this is a two way monitor, when my kids were little they were audio only and one way.
Re: (Score:2)
It has happened, it could happen to anyone.
a plane could also crash into your home. it has happened, it could happen to anyone. are you building a steal dome around your home to protect yourself?
considering their are 7 billion people in the world, anything that can happen will happen. that doesn't mean we need to make laws and regulations to block anything that can happen. it isn't free. it cost your taxpayer money, and the time lawyers and agencies spend on this is time they aren't spending on other things.
Re: (Score:2)
Bingo. So someone can hack the monitor and listen to my baby sleep or not sleep. Or even watch him sleeping. What exactly is the threat? What information can they really gain that is of use? That the sheets are green instead of blue?
You can't see color when the video camera is operating by IR light. So you would not even be able to tell if the sheets are green or blue. You could tell the pattern or print on them but not the colors.
Re: (Score:3)
Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.
Doesn't seem to have happened, [ctvnews.ca] News articles are already popping up over it, and nothing is going on. It'll likely take either a very serious case(death, kidnapping, etc) to happen, or government regulators stepping in and requiring proper security certification on networked devices. I expect that if there's even a hint of that happening a self-regulating body will suddenly spring into existence by said companies though.
Re: (Score:2)
http://www.telegraph.co.uk/tec... [telegraph.co.uk]
It even made nationwide news when it happened to some non techies.
Re: (Score:2)
Do your two year old children usually sleep walk from school?
Re: (Score:2)
TV? Why not a whitehat hack. Post a message to the baby monitors saying "this device was easy to hack - please visit this website to learn more about how to patch/configure your device"
Or...patch them for people.
Or...encrypt it and demand $50 to unlock it. Oh wait - PC users are having to deal with this already :-P
Re: (Score:1)
Not really a problem, though. So people can listen in on baby monitors when they're turned on. They're not always turned on. People turn them off when they're not using them.
Re: (Score:2)
I have never heard of someone turning off the baby monitor when it isn't in use.
This is the big deal:
http://www.telegraph.co.uk/tec... [telegraph.co.uk]
Re: (Score:2)
The cheap monitor we had you had to turn off both the units - if you only turned off one, the other would make a awful static sound fairly loudly and non-stop.
Which is weird, 'cause it wasn't a two way system - simple broadcast unit for baby's room and receiver for wherever which of us adults was being responsible was located (kitchen, living room, or garage)
Re: (Score:2)
I'm starting to believe that we should simply not allow any internet connected consumer device to be sold without the ability to automatically patch it's own software / firmware, and a clear commitment from the company up front as to how long they'll continue to support it. If a company is not willing to add that capability to the device, then it's not secure enough to be sending or receiving internet data. We don't let toy cars drive on the freeway. Maybe we should think of internet-enabled devices in t
Re: (Score:2)
Silliness aside, until manufacturers have to pay the price in the marketplace for their crappy wares, they won't bother to do it right.
Well, yes, but isn't it a bit naive to think that 'the Market' will magically make them pay? Society - the state, if you will - has to step in and make it very painful for the owners and CEOs of these companies; they quite often seem to take on the attitude of criminals, that 'we are entitled to make money by whatever means, and screw the consequences for others'. Let me emphasise this a bit: it should cost the CEO and other managers, AS WELL AS the major share holders, of a company dearly, if they allow th
Re: (Score:1)
Silliness aside, until manufacturers have to pay the price in the marketplace for their crappy wares, they won't bother to do it right.
Well, yes, but isn't it a bit naive to think that 'the Market' will magically make them pay?
Almost every time I see an expert complaining about a product, it ends up looking like a fanatic blowing a legitimate but rare issue far out of proportion. Network connected baby monitors, projectile toys [toysyouhad.com], window cords [fairwarning.org]... It's all the same. Freak accident or strange connection, and all of a sudden there's someone crying for government or a product liability lawyer to protect people from themselves.
People don't care about your pet project. They don't care if someone might figure out how to access their i
Re: (Score:2)
Almost every time I see an expert complaining about a product, it ends up looking like a fanatic blowing a legitimate but rare issue far out of proportion.
That may be so, but perhaps it would be worth listening to the expert and following his or her reasoning, rather than just dismissing it out of hand? Being experts, they have probably put a good deal of thought into their opinion, and perhaps what they are talking about is a symptom of a wider problem? A few tens of thousands of networked baby-monitors is not a big problem, although it might be for the families that have them, but the total amount of poorly secured network gadgets is potentially huge, and a
Re: (Score:2)
We live in the safest age ever and there is epidemic of paranoia around every little thing, especially around children.
I'm not sure what your agenda is here, but when you compare to just 50 years ago, I am sure you will recognise that where criminal gangs 50 years ago were mostly localised, except perhaps for a few, like the Mafia, the internet has now made it trivially easy to organise anything across the globe, be it pedophile rings, drug kartels, people smuggling or terrorism. 50 years ago, when people were scared of pedophiles, they would be on the look-out for a grubby middle aged man in the neighbourhood (as inaccurat
Re: (Score:2)
They'll probably call it CyberUL [recode.net].
hacking (Score:1)
Re: (Score:3)
Correct.
But the logging in with default passwords is. Even though the person that did not change the password is stupid, it is still cracking to take advantage of that stupidity.
Re: (Score:2)
Exactly. The existence of a password more or less translates as "authorized personnel only". Being able to pick the lock doesn't equate to permission to enter.
Re: (Score:2)
But what constitutes authorization? Being given the password by whoever set it?
In the case of a default it was set by the manufacturer, and they have given you the password in the form of documentation.
Re: (Score:2)
Don't be obtuse. Authorization comes from the owner of the device or someone acting on the owner's behalf. Do you really think the locksmith is authorized to grant you access to his customer's homes?
You may know your coworker puts his car keys in his desk drawer. Does that knowledge or the fact that it's common to do so constitute his permission to take his car for a spin?
Re: (Score:1)
Don't be obtuse. Authorization comes from the owner of the device or someone acting on the owner's behalf. Do you really think the locksmith is authorized to grant you access to his customer's homes?
A default password is 'security optional.' The user has the option to change the password and restrict access, but he's also free to leave the default pw so anyone can access. Same way you're free to configure your WAP with no encryption.
The house - data metaphor is really not a good way to talk about data security. I may be perfectly happy to have other people wander around my data. To let grandma check in on the baby from across the country, even if that means that a random person could stumble across
Re: (Score:2)
As long as people in general tend to not realize the implications of not changing the default password, it is not an invitation to the puiblic. Not setting a password at all or telling everyone the password on the login screen or in the SSIS is an invitation to the public.
People SHOULD change the default password but often don't realize it. Just like people SHOULD respect private property but don't always.
Re: hacking (Score:2)
I've actually been thinking of changing my open "Guest" SSID to "Password is guestaccess" and put WPA2 PSK on it, for better guest privacy. I wouldn't consider it hacking for somebody to use it. Just be careful with terminology and specificity before somebody carelessly outlaws more useful things (like the firmware that letd me do those useful things).
Re: (Score:2)
That would be you, the owner of the device explicitly granting access to anyone who sees the SSID. No p[assword is you implicitly granting access.
Re: (Score:2)
Here's a phone, call someone who cares.
Legal or illegal means jack if there is no way to even detect it.
Because the parents don't care. (Score:3)
This has less to do with security and more to do with the fact that people don't really care. A baby monitor is there so you can hear / see your baby and make sure it is still breathing and to see if you really do need to go into their room when they are crying. While most people would be creeped out by the idea of someone else looking at their baby on a monitor they don't really care that much. It's not like parents see baby monitors as something that stops you stealing the baby.
Re: (Score:2)
people don't really care.
People would care if they were aware of the security and privacy risks.
Re: (Score:2)
You see people vote and still believe this?
People can't be assed to care. There is exactly two kinds of answers you'll get. "Oh, it can't be THAT bad or they'd outlaw that" and "But why should that happen to ME?"
Re: (Score:3)
No I don't believe they will. What exactly are the security issues? 99% of baby monitors are pointed at a cot and show nothing more than the inside of the cot, you can't see anything else. You can't see points of entry, you can't see the rest of the room and you are unlikely to be able to identify which room you are looking at. At absolute best you MIGHT be able to see when there is no one home but you sure as hell wouldn't trust the baby monitor to hear the rest of a house.
As for privacy they will get
Re: (Score:2)
People don't buy baby monitors for security.
Agree. I have a video baby monitor and I don't really care if it's secure because the odds of someone targeting my wifi network and camera feed are low, and the impact of such a thing happening is negligible. While a few monitors have been hacked, this is not presently an issue of thousands of creepers hacking every cam they can find - we are talking about several isolated incidents. I am FAR more concerned about someone breaking into my house and being some kind of actual threat to my family, and even then
Re: (Score:2)
I'm more concerned about fire than any other risk. Where I live break ins are really really rare, as is crime of any kind really, so the thing I worry about is fire. So I have extra smoke detectors fitted and I have made my eldest (5) learn how to get out if there is a fire and all the doors are locked. And that causes you to have some interesting choices. She didn't have the strength to turn the key in the dead bolt meaning she couldn't open the front door and she struggled enough with the security scr
Re:Because the parents don't care. (Score:5, Funny)
People would care if they were aware of the security and privacy risks.
If those babies have nothing to hide then they have nothing to worry about.
Re: (Score:2)
People care not about them though!
Re: (Score:1)
Re: (Score:1)
The article about how "anyone can code if they copy and
Re: (Score:2)
Why bother? I'm pretty sure there's plenty of people who are so desperate to be noticed that there's a page for them to post such videos themselves.
Re: (Score:2)
but you might see a rash of home burglaries.
the same problems will be seen again with every device we use.
poor security/quality controls practices start at the CEO
how many car recalls have there been over a less than $5 part...
How secure is your Windows desktop ?
the more your car gets to be like your desktop, will your attitude change ?
I know when my Windows desktop crashes, it rarely is running freeway speed with my family & friends in it.
Analog baby monitors or CB? (Score:2)
Nobody cares less about this problems and buys these, because are cheap, ruggend and consumes low power.
Re: (Score:2)
Analogue baby monitors [melchioni.it] transmit and receives on CB frequencies or nearby. So everyone with a short wave radio or a CB rig could listen, an if the propagation is strong, signals from hundreds of kilometers away could be received by the baby monitor, and every trucker nearby could eavesdrop in your home. Nobody cares less about this problems and buys these, because are cheap, ruggend and consumes low power.
Exactly. I did a motorcycle road trip with a friend years ago, with some cheap helmet to helmet communicator radios. We heard a lot of babies on that trip, and an occasional mom talking to here baby. It did not deter me from using them later when I had my own.
terrible (Score:2)