Research from IT security company Rapid 7 shows that WiFi-enabled baby monitors are more vulnerable to hackers than previously reported.
Its report, IoT security: 10 new vulnerabilities for video baby monitors primarily focuses on ten new vulnerabilities, which include allowing third-parties to log in and view data and video captured by the monitors, as well as being able to access other WiFi enabled devices on the same connection.
Nine baby monitors from eight different companies, at price points between $55 and $260 USD, were examined and tested. Rapid 7 found flaws in both the design of the product and in the implemented security architecture for every camera they tested. Some even lacked encryption of their data streams, reported the Huffington Post.
The table summarises the new vulnerabilities (which the security firm assures us have been disclosed to the vendors of the baby monitors and CERT, the internet official emergency team.)
Disturbingly, Rapid 7 seems to be rather underwhelmed with the responses from the firms contacted about the discoveries. The report states: “The range of responses itself is worrying, and representative of the IoT industry as a whole. While it is possible for an organization to maintain a flexible, mature process for handling unsolicited vulnerability reports, it is far from the norm. It is hoped that the publication of these findings will help IoT vendors establish reasonable, effective vulnerability handling practices.”
So what can affected people do about this?
Rapid 7 admits in the report that these are not easy fixes: “A sub-one hundred dollar video baby monitor, a five hundred dollar smart phone, a thirty-five-thousand dollar connected car and a four hundred million dollar jet liner are all difficult to patch, even when vulnerabilities are identified, known and a fix is in hand.”
The company posted this advice on its online FAQ:
“Consumers are advised to pay attention to their individual vendors’ web sites for news regarding any available firmware or mobile application updates. We advise individuals to use any camera that has not been fixed for identified issues or weaknesses sparingly – or preferably not at all – until the vendor is able to fully address the identified problems. If a baby monitor allows a password to be changed, the device owner is highly encouraged to do so and to make a strong password to protect access.”
So there you go. Chance your password on your baby-monitor if you can. And while you are at it, why not check your WiFi password as well, making sure it is not the factory default, a chronological sequence of numbers, or the name of your pet.
