Security researchers have discovered a vulnerability in a popular video baby monitor, which could allow strangers to view footage from its camera, and even take control of the device remotely.
One the face of it, a smart baby monitor seems like a great idea for new parent, allowing them to keep an eye on their kids using a smartphone app. Unfortunately, if security measures aren’t implemented properly, they can be a serious privacy risk.
Experts from Bitdefender (in collaboration with PCMag) discovered a severe vulnerability with the iBaby Monitor M6S, which lets third parties access stored files, obtain personal information, and take over the camera itself.
Diving into the device’s firmware revealed that, although the camera uses strong encryption standards, they aren’t properly implemented. The camera sends encrypted data to iBaby’s servers using HTTPS, but the security certificate isn’t validated, allowing it to be intercepted by a man-in-the-middle attack.
What you can do
So just how likely is it for anyone to exploit such a weakness? Perhaps more than you’d expect.
At a security demonstration for the release of the Bitdefender Box, TechRadar saw just how easy it is to find and take remote control of a poorly secured IP camera. It’s remarkably straightforward, requiring no expert equipment and little specialist knowledge.
Many cameras are even more vulnerable than the iBaby monitor, thanks to problems like hard-coded admin logins, and firmware based on old open source code with well-publicized weaknesses.
Bitdefender and TechRadar have contacted iBaby for comment, but so far the company has yet to reply. Hopefully it will soon respond to the researchers’ findings and issue an update that will patch the vulnerability, but for the time being the only ‘solution’ is to disconnect the device from your network.
Internet of Things devices can be enormously useful, but it pays to be cautious. It’s wise to only buy products from known brands that will hold themselves (and be held) to strict standards. Always install any firmware updates as soon as they become available, and subscribe to email notifications from the company so you’re made aware if anything goes awry.
It’s also worth considering investing in a hardware firewall that will monitor incoming and outgoing network traffic for all your devices, and alert you if anything looks unusual.