Slashdot Mirror

← Back to Stories (view on slashdot.org)

Despite Reports of Hacking, Baby Monitors Remain Woefully Insecure

Posted by samzenpus on from the won't-somebody-please-think-of-the-children? dept.

itwbennett writes: Researchers from security firm Rapid7 have found serious vulnerabilities in nine video baby monitors from various manufacturers. Among them: Hidden and hard-coded credentials providing local and remote access over services like SSH or Telnet; unencrypted video streams sent to the user's mobile phone; unencrypted Web and mobile application functions and unprotected API keys and credentials; and other vulnerabilities that could allow attackers to abuse the devices, according to a white paper released Tuesday. Rapid7 reported the issues it found to the affected manufacturers and to US-CERT back in July, but many vulnerabilities remain unpatched.

109 comments

  1. Marketplace Justice by eyepeepackets · · Score: 5, Insightful

    Would be nice if there were an organization like UL Underwriters for network security, call it Network Underwriters Themed, Security Assured Credentials -- NUTSAC for short.

    Silliness aside, until manufacturers have to pay the price in the marketplace for their crappy wares, they won't bother to do it right.
    --
    Everything in the Universe sucks: It's the law!

    --
    Everything in the Universe sucks: It's the law!
    1. Re:Marketplace Justice by luvirini · · Score: 2

      The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.

      Thus in the future with IoT, we will soon see a lot of stuff, the current small scale thing is just the beginning.

      In the long run I expect there will be laws and liabilities, but that is still a long way off at this point.

    2. Re:Marketplace Justice by MyAlternateID · · Score: 1

      The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.

      Thus in the future with IoT, we will soon see a lot of stuff, the current small scale thing is just the beginning.

      In the long run I expect there will be laws and liabilities, but that is still a long way off at this point.

      Laws will happen. Just as soon as the first death is caused by a hack (or a hack gone wrong). However indirectly. That's what it takes for average people, and thus their representatives, to pay attention and figure out that something actually does matter. Then it will be a CRISIS! and we must do something NOW!

    3. Re:Marketplace Justice by tlhIngan · · Score: 4, Insightful

      The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.

      Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.

      The problem is the consumer doesn't know how easy it is for someone that is not them to access their camera. And you'll see immediate change because it's all about the kids.

      What needs to happen is media attention

    4. Re:Marketplace Justice by Dutch+Gun · · Score: 1

      I'm starting to believe that we should simply not allow any internet connected consumer device to be sold without the ability to automatically patch it's own software / firmware, and a clear commitment from the company up front as to how long they'll continue to support it. If a company is not willing to add that capability to the device, then it's not secure enough to be sending or receiving internet data. We don't let toy cars drive on the freeway. Maybe we should think of internet-enabled devices in the same way.

      Maybe devices like Google's OnHub router are the way we need to go (ignoring who it's from for a moment). The device pings the mothership and automatically updates itself as needed. There's nothing all that difficult about auto-patching firmware if the devices is already internet enabled and has flash-able firmware. It's expecting too much of normal users to know which of a thousand models of hardware they have, and to know if they need to patch it because of a critical vulnerability. I mean, it's apparently too much for many supposed professional IT departments. How can we expect that of normal consumers?

      I really wish the industry would get off its ass and start taking responsibility for things like this, but it's just not happening. It's more profitable to just throw some half-assed features on there and put the "watch from anywhere on the internet" bulletpoint on the box. Unfortunately, they're going to keep this sort of nonsense up until enough people start calling for legislation and regulation. Getting the government involved is always a mixed blessing.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    5. Re:Marketplace Justice by MyAlternateID · · Score: 1

      The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.

      Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.

      The problem is the consumer doesn't know how easy it is for someone that is not them to access their camera. And you'll see immediate change because it's all about the kids.

      What needs to happen is media attention

      Or people could do something unusual and inform themselves. They will find a way to do that, if the kids are really so important. If not, it'll be someone else's job, perhaps the legislators' job.

    6. Re:Marketplace Justice by sjames · · Score: 1

      I'm a bit surprised the CSI:Cyber episide about the people hacking baby monitors, kidnapping, and selling babies didn't get people thinking.

    7. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      Does the Author have a clue about what the lead time for product changes are when you are working with overseas production? Even if the stars align and everything goes right you still have 4 - 5 months for the new boards with new firmware to reach stateside. doing a chicken little because the alert went to the manufacturers less than 60 days ago is pretty stupid.

    8. Re:Marketplace Justice by bigfinger76 · · Score: 1

      I was so busy laughing that I forgot to consider the reality.
      Is that show getting a second season?

    9. Re:Marketplace Justice by ShanghaiBill · · Score: 2

      Until someone manages to get on TV and show how easy it is to spy on children that way

      Well, I know that I stay awake at night worrying that the neighbors are watching my kids sleep. That is a parent's worst nightmare.

    10. Re:Marketplace Justice by Mashiki · · Score: 2

      Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.

      Doesn't seem to have happened, News articles are already popping up over it, and nothing is going on. It'll likely take either a very serious case(death, kidnapping, etc) to happen, or government regulators stepping in and requiring proper security certification on networked devices. I expect that if there's even a hint of that happening a self-regulating body will suddenly spring into existence by said companies though.

      --
      Om, nomnomnom...
    11. Re:Marketplace Justice by sjames · · Score: 1

      Yes, it is. Ratings were good.

      Beneath the animations meant to depict hacking and the totally unnecessary 3d displays and such, they have the fundamental truth right. Hackers really can get in to that stuff that easily and they really could cause big problems.

    12. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      You cannot kill a baby with a monitor, but a baby video feed could be considered child porn. That thought could cause a whole lot of high power legal attention to be whipped onto many unsuspecting parents.

    13. Re:Marketplace Justice by davester666 · · Score: 1

      That's totally made up. It would never happen IRL.

      --
      Sleep your way to a whiter smile...date a dentist!
    14. Re:Marketplace Justice by sjames · · Score: 1

      Perception is king. The facts don't matter much.

      Agreed, that PARTICULAR story line isn't going to happen. However, the starting fact that baby monitors have practically no security is true.

    15. Re:Marketplace Justice by Harlequin80 · · Score: 1

      Finally someone on here who has kids. If you want to watch my youngest creepy as fuck arguments with the empty air you go right ahead!

    16. Re:Marketplace Justice by Threni · · Score: 1

      Not really a problem, though. So people can listen in on baby monitors when they're turned on. They're not always turned on. People turn them off when they're not using them.

    17. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.

      The problem is the consumer doesn't know how easy it is for someone that is not them to access their camera. And you'll see immediate change because it's all about the kids.

      What needs to happen is media attention

      But there was an episode of CSI:Cyber about this very issue. Are you saying a television show addressing baby monitor hacking for criminal purposes is not "(getting) on TV...show how easy it is to spy on children?"

    18. Re:Marketplace Justice by dwillden · · Score: 1

      Bingo. So someone can hack the monitor and listen to my baby sleep or not sleep. Or even watch him sleeping. What exactly is the threat? What information can they really gain that is of use? That the sheets are green instead of blue?

      --
      I'm too lazy to compose a creative sig.
    19. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      Adults making real world conclusions from CSI episode would be really disturbing thing. Adults treating CSI as non-real fantasy is good thing and healthy state of things.

    20. Re:Marketplace Justice by jandersen · · Score: 1

      Silliness aside, until manufacturers have to pay the price in the marketplace for their crappy wares, they won't bother to do it right.

      Well, yes, but isn't it a bit naive to think that 'the Market' will magically make them pay? Society - the state, if you will - has to step in and make it very painful for the owners and CEOs of these companies; they quite often seem to take on the attitude of criminals, that 'we are entitled to make money by whatever means, and screw the consequences for others'. Let me emphasise this a bit: it should cost the CEO and other managers, AS WELL AS the major share holders, of a company dearly, if they allow their company to make money by selling crap like this.

      This kind of thing also flags up the whole idea of IoT as being desperately stupid; hackers will find ways through any security measures, even the best, if they want to, we know that, and the producers of IoT gadgets don't seem more than vaguely interested in implementing the best practices. On top of that, we hope to rely on the wit of consumers, who by and large don't have any idea about what network security is? What could possibly go wrong?

      We have to get the problems with internet scammers and other criminals under control before we proceed with IoT; otherwise, people are going to lose the fundamentally important confidence in all online business - and that would cause significant problems, I think is fair to say.

    21. Re:Marketplace Justice by tburkhol · · Score: 1

      The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.

      Laws will happen. Just as soon as the first death is caused by a hack (or a hack gone wrong).

      Am I the only one who remembers when products like baby monitors worked by RF broadcast? It used to be anyone could turn their radio to 88.7, their TV to channel 4, or whatever frequency was being broadcast, and listen in. Anyone with the same brand of monitor could pick up neighboring signals (in the unlikely event you'd both bought the same one), and they rarely even offered so much as a choice of 'channel A' vs 'channel B'.

      Sure, the old systems required physical proximity. Maybe the new network connected ones are more widely viewable, if you're dumb enough to put them on a public-facing address. It sure seems like a paranoid fantasy that 'hackerz' might troll the internet for open baby monitors, figure out a physical address to go with the IP address, then go steal your baby or your baby monitor.

    22. Re:Marketplace Justice by drinkypoo · · Score: 0

      Bingo. So someone can hack the monitor and listen to my baby sleep or not sleep. Or even watch him sleeping. What exactly is the threat? What information can they really gain that is of use? That the sheets are green instead of blue?

      Would-be molesters could drive down the street with a bundle of baby monitors, I suppose. Watch out for church vehicles emitting a video glow at night.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    23. Re:Marketplace Justice by swillden · · Score: 1

      Bingo. So someone can hack the monitor and listen to my baby sleep or not sleep. Or even watch him sleeping. What exactly is the threat? What information can they really gain that is of use? That the sheets are green instead of blue?

      They can see and hear a lot of details of activity inside the house, not just the baby. Whatever is in range of the camera and microphone.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    24. Re:Marketplace Justice by clicker666 · · Score: 2

      One of the "features" of some of these new cameras is that they stream back to a remote website. You then log onto that website to view the video. I have a security camera that you access via a Chinese website. In addition, the software is always detected as malware. Nothing sketchy there lol. I just use the camera for monitoring my parking area and utilize its local SD card storage, so no network needed.

    25. Re:Marketplace Justice by flink · · Score: 1

      They can see and hear a lot of details of activity inside the house, not just the baby. Whatever is in range of the camera and microphone.

      Again, what's the threat? It's creepy, yes, but you have to be within about 50' of the house to pick up the baby monitor (maybe a little further with a high gain antenna). That's either in the middle of the street or a neighbor's yard. Someone who is that close can tell if anyone is home anyway. And anyone just loitering outside my home, in my yard, or in a neighbor's yard in the middle of the night is probably going to have some questions to answer before too long.

      Random kidnappings, especially ones involving home invasions are so rare they are not worth worrying about. They just get sensationalized to such a degree that people worry about them disproportionally. The chances of it happening to your family specifically are basically 0. Your kid probably has a better chance of getting struck by lightning.

      And if someone wants to rob me, well there's not much I can do to prevent that regardless. I have an alarm to deter casual thieves, but locks only keep out honest people. That's what I have insurance for.

    26. Re:Marketplace Justice by tburkhol · · Score: 1

      Silliness aside, until manufacturers have to pay the price in the marketplace for their crappy wares, they won't bother to do it right.

      Well, yes, but isn't it a bit naive to think that 'the Market' will magically make them pay?

      Almost every time I see an expert complaining about a product, it ends up looking like a fanatic blowing a legitimate but rare issue far out of proportion. Network connected baby monitors, projectile toys, window cords... It's all the same. Freak accident or strange connection, and all of a sudden there's someone crying for government or a product liability lawyer to protect people from themselves.

      People don't care about your pet project. They don't care if someone might figure out how to access their internet baby monitor because they'd really like a way to feed the baby monitor onto their facebook page. They don't care if bad guys might use the baby monitor to find out when the house is vacant because the curtains are all open and anyone walking by can see the house is empty. Bad practices increase the risk of extremely unlikely events, but they're still extremely unlikely events.

    27. Re:Marketplace Justice by swillden · · Score: 1

      So, you're home in the evening and your wife calls "Hey, honey, can you give me the credit card number for something I'm buying online?" and you tell her the number. The baby monitor hears.

      That's just one example, and not a particularly scary one. Use your imagination. It's not just about whether or not you're home, it's about what information is available inside your house that you don't want shared with random listeners.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    28. Re: Marketplace Justice by Anonymous Coward · · Score: 0

      And then what? They hear alot of crying and then a Chinese dingo comes and eats my baby?

    29. Re:Marketplace Justice by ShanghaiBill · · Score: 1

      So, you're home in the evening and your wife calls "Hey, honey, can you give me the credit card number for something I'm buying online?" and you tell her the number. The baby monitor hears.

      They can get that far quicker and easier by rummaging through your trash. Or they can get a job at the Mall, and record dozens of CC numbers every day.

    30. Re:Marketplace Justice by Penguinisto · · Score: 1

      So, let's summarize: In order to maybe(!) be able to clearly near an entire credit card number and expiration date clearly, over a baby monitor**, someone has to be in your street or neighbor's yard for hours on end (if not days) holding an antenna in full view of any and all neighbors, listening intently, and hoping that the numbers are enunciated loudly and clearly enough, all while standing close enough to the baby's crib (where the mic is). Oh... and our burglar would have to know that the victim family has XYZ brand of baby monitor, and know when it'll be on, and know how to exploit it, *spend* time exploiting it, and...

      Have you any idea how fucking dumb and contrived that scenario is? Seriously, do you?

      I mean, dude, if I'm going to steal credit card numbers? I think that an anonymizing VPN account and an hour on some small business owner's poorly-constructed eStore front will get me far more useful information for far less exposure, dontchathink?

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    31. Re:Marketplace Justice by Coren22 · · Score: 1

      http://www.telegraph.co.uk/tec...

      It has happened, it could happen to anyone. But this is a two way monitor, when my kids were little they were audio only and one way.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    32. Re:Marketplace Justice by Coren22 · · Score: 1

      http://www.telegraph.co.uk/tec...

      It even made nationwide news when it happened to some non techies.

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    33. Re:Marketplace Justice by Coren22 · · Score: 1

      I have never heard of someone turning off the baby monitor when it isn't in use.

      This is the big deal:
      http://www.telegraph.co.uk/tec...

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    34. Re:Marketplace Justice by blueg3 · · Score: 1

      They'll probably call it CyberUL.

    35. Re:Marketplace Justice by swillden · · Score: 1

      You're missing the point. Credit card numbers were just one example. Unless you're comfortable broadcasting everything that goes on in your house, this is an issue.

      Also, there's no need to actually have a person sit in full view of anyone. Just hide a repeater in the shrubbery.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    36. Re:Marketplace Justice by swillden · · Score: 1

      So... there is nothing that a microphone could pick up in your house that you wouldn't want overheard?

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    37. Re:Marketplace Justice by sjames · · Score: 1

      I guess you must find yourself disturbed much of the time then.

    38. Re:Marketplace Justice by i.r.id10t · · Score: 1

      The cheap monitor we had you had to turn off both the units - if you only turned off one, the other would make a awful static sound fairly loudly and non-stop.

      Which is weird, 'cause it wasn't a two way system - simple broadcast unit for baby's room and receiver for wherever which of us adults was being responsible was located (kitchen, living room, or garage)

      --
      Don't blame me, I voted for Kodos
    39. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      And when you go outside, some jerk can yell abuse at your kid too. If he is afraid to do so while kid is with you, said asshole can do so to kids going home from school. But, unless there is epidemic of assholes hacking monitors and yelling at kids, market will not care all too much. After all, it would be as reasonable way to spend money as putting armed cops on every sidewalk on the way to school.

    40. Re:Marketplace Justice by Coren22 · · Score: 1

      Do your two year old children usually sleep walk from school?

      --
      APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
    41. Re:Marketplace Justice by Agent0013 · · Score: 1

      Bingo. So someone can hack the monitor and listen to my baby sleep or not sleep. Or even watch him sleeping. What exactly is the threat? What information can they really gain that is of use? That the sheets are green instead of blue?

      You can't see color when the video camera is operating by IR light. So you would not even be able to tell if the sheets are green or blue. You could tell the pattern or print on them but not the colors.

      --

      -- ssoorrrryy,, dduupplleexx sswwiittcchh oonn.. -Quote found on actual fortune cookie.
    42. Re:Marketplace Justice by farble1670 · · Score: 1

      So... there is nothing that a microphone could pick up in your house that you wouldn't want overheard?

      that's right, nothing. i guess i'd prefer it if i wasn't overheard, but i'm not willing to spend taxpayer money and introduce even more complexity in an already ridiculous spider's web of laws.

      people need to understand that you are (almost) all boring nobodies. no one wants to listen to you. no one gives a crap that you even exist. you own nothing worth stealing, and there's no information you posses that's in the least bit interesting.

      it's all narcissism. people think they are so special that someone would go to incredible lengths to get a glimpse of them in their underwear or to find out that they like babysitter pron. people won't. unless you are a billionaire, or famous, no one cares. get over it.

    43. Re:Marketplace Justice by farble1670 · · Score: 1

      Have you any idea how fucking dumb and contrived that scenario is? Seriously, do you?

      ^^^^ this.

    44. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      Its a matter of risk assessment. If there are 10,000 remote hackable baby monitors what are the chances of my baby monitor getting hacked? if the chances are low, then I don't care.
      The lock on my door won't keep out anyone who is a determined and trained lock-pick. It also won't keep out anyone who decided to drive a front loader through my door, but the chances of either happening are low enough that I don't buy a better lock or put up a Jersey barrier in front of my door.
      So yeah they're hackable, but what is MY risk?

    45. Re:Marketplace Justice by farble1670 · · Score: 1

      You're missing the point. Credit card numbers were just one example. Unless you're comfortable broadcasting everything that goes on in your house, this is an issue.

      could you give some examples of what might be going on in a house that would make it worthwhile for a hacker to risk trespassing, incur the cost of leaving surveillance equipment on your property and risk it being destroyed or discovered, and spend their time placing the equipment, retrieving the equipment, then spending countless hours reviewing the data looking for something useful?

      any type of information that could be discovered in this manner would be much more efficiently stolen via breaking in or simple hacking, or phishing. that's why you hear about those all the time, but you never hear about crime rings involving mass baby monitor snooping.

    46. Re:Marketplace Justice by farble1670 · · Score: 1

      It has happened, it could happen to anyone.

      a plane could also crash into your home. it has happened, it could happen to anyone. are you building a steal dome around your home to protect yourself?

      considering their are 7 billion people in the world, anything that can happen will happen. that doesn't mean we need to make laws and regulations to block anything that can happen. it isn't free. it cost your taxpayer money, and the time lawyers and agencies spend on this is time they aren't spending on other things.

    47. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      Credit card numbers are a bad example. A better example is that you or your SO has a stalker, who hides the repeater mentioned by swillden in the bushes.

      The fact that these devices has a short range doesn't mean a person has to sit, 60s TV police stakeout-style, in their car along your street. A lot of this can be automated. How secure is your neighbor's wifi?

      Baby monitor security holes aren't scary because "random hackers will listen to your credit card numbers", it's scary because "someone interested in hurting you can use them to spy on you".

    48. Re: Marketplace Justice by Anonymous Coward · · Score: 0

      Where's the problem in this case? All babies look alike (within their race) so seeing one baby on a monitor is as good as seeing any other.

    49. Re: Marketplace Justice by Anonymous Coward · · Score: 0

      Dingos are Austrian, dummy.

    50. Re:Marketplace Justice by jandersen · · Score: 1

      Almost every time I see an expert complaining about a product, it ends up looking like a fanatic blowing a legitimate but rare issue far out of proportion.

      That may be so, but perhaps it would be worth listening to the expert and following his or her reasoning, rather than just dismissing it out of hand? Being experts, they have probably put a good deal of thought into their opinion, and perhaps what they are talking about is a symptom of a wider problem? A few tens of thousands of networked baby-monitors is not a big problem, although it might be for the families that have them, but the total amount of poorly secured network gadgets is potentially huge, and all of them represent a security risk - together they may amount to a serious problem.

      It may be the case that the risk of one of these things is low - say, 1 in 10000, for example - but if there are 2 billion of them, just to choose a number, it ends up being a problem for 200K units. If each of these cases constitute a loss of $1000, we're looking at $200 million. I would say that is a significant problem. It is all too common for people to dismiss something out of hand just because it sounds silly and they can't be bothered to think it through.

      People don't care about your pet project.

      As a put-down remark, it's fairly feeble, I think. First of all, I don't have a pet project - certainly not when it comes to networked gadgets - I simply stay away from them unless I can see a clear justification for them, and in most cases I would probably build them myself. And of course, if I had a pet project, there would in be somebody who cared: me. And whether anybody else was interested or not would not be at the centre of my attention - I don't have hobbies to attract the approval of others.

    51. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      My point was that the risk of two years old being yelled at by stranger through monitor is pretty much the same as risk of seven years old being yelled at going home from school. It is super rare occurrence and consequences are very low. Moreover, it is much easier to change baby monitor or just stop using it since to years old is not baby anymore. It is waste of money and annoying when it happen, but it is not large threat parents should worry about whole night.

    52. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      That may be so, but perhaps it would be worth listening to the expert and following his or her reasoning, rather than just dismissing it out of hand? Being experts, they have probably put a good deal of thought into their opinion, and perhaps what they are talking about is a symptom of a wider problem?

      We live in the safest age ever and there is epidemic of paranoia around every little thing, especially around children. And that paranoia is experts led. Most of them simply have something to sell. Exaggerating risks and manipulating you into fear is an easy typical way how to do so. Abusing parental feeling of responsibility is second most popular pattern.

      Irrational safety paranoia is making real life parent harder and more expensive for no good reason. It makes it easier to miss real dangers in the process of defending against tiny or non-existent one.

      "Total amount of poorly secured network gadgets" is problem for reasons that have nothing to do with strangers potentially watching babies. So, maybe experts who want to be taken seriously by thinking people should stop using parents and "think of the children" for their own unrelated purposes. Otherwise they are just adding to wider problem of experts induced paranoia.

    53. Re:Marketplace Justice by Anonymous Coward · · Score: 0

      Large-subnet fingerprint scanners and scripted exploits mean there's no safety in numbers.

    54. Re:Marketplace Justice by dwillden · · Score: 1

      Go visit our sis-in law, she uses a video baby monitor. She was freaked out at first by the Cyber-CSI episode but then realized that there really is no threat. The gain on the mic isn't that great. We were there, the older kids were playing and yelling, but you really couldn't tell through the shut door to the nursery room. Watching it enable us to watch the child not sleep but rather talk to himself for most of his nap.
      Such critical information.

      People use baby monitors to enable them to close doors so as to not risk disturbing the baby with conversations or other activities yet still allow them to monitor them. Doors are surprisingly effective at muffling sounds, add to that cheap microphones and good luck getting any information of actual value.

      --
      I'm too lazy to compose a creative sig.
    55. Re:Marketplace Justice by swillden · · Score: 1

      The default gain may be poor, but it might be adjustable; it wouldn't surprise me at all if developers who were lax enough to not bother encrypting the feed also provided a low-level control interface over the same channel. It would be really convenient for debugging.

      Even that doesn't really matter that much... do you really want a microphone in your house broadcasting what it hears? Exactly how much it hears may depend on where you are, what doors are open or closed, etc., but are you really sure it's never hearing anything you don't want broadcast?

      And, more importantly, how many people who buy a baby monitor even think about the issue? Product designers should not build a product that requires their user to do that sort of security analysis. Especially since it's quite easy to make it a non-issue.

      --
      Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
    56. Re:Marketplace Justice by ripvlan · · Score: 1

      TV? Why not a whitehat hack. Post a message to the baby monitors saying "this device was easy to hack - please visit this website to learn more about how to patch/configure your device"

      Or...patch them for people.

      Or...encrypt it and demand $50 to unlock it. Oh wait - PC users are having to deal with this already :-P

    57. Re:Marketplace Justice by jandersen · · Score: 1

      We live in the safest age ever and there is epidemic of paranoia around every little thing, especially around children.

      I'm not sure what your agenda is here, but when you compare to just 50 years ago, I am sure you will recognise that where criminal gangs 50 years ago were mostly localised, except perhaps for a few, like the Mafia, the internet has now made it trivially easy to organise anything across the globe, be it pedophile rings, drug kartels, people smuggling or terrorism. 50 years ago, when people were scared of pedophiles, they would be on the look-out for a grubby middle aged man in the neighbourhood (as inaccurate as that image may have been), but now we know that there is huge market in child abuse organised across the globe, so people's children in the supposedly safe neighbourhood can be targeted by grubby perverts in every nation of the world.

      So, is the world safer for children? It is true that society in many countries care better for children now than 50 years ago; education and medical care are more available and so on, but certain dangers have now become a lot more sinister than they were.

  2. hacking by Iamthecheese · · Score: 1

    Listening to/watching a publicly broadcast, unsecured video/audio stream isn't hacking.

    --
    If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
    1. Re:hacking by luvirini · · Score: 2

      Correct.

      But the logging in with default passwords is. Even though the person that did not change the password is stupid, it is still cracking to take advantage of that stupidity.

    2. Re:hacking by Anonymous Coward · · Score: 0

      logging in with default passwords is.

      Logging in with the default credentials is no more hacking than opening a lock with its key is locksmithing. It can be illegal, but hacking it is not.

    3. Re:hacking by sjames · · Score: 1

      Exactly. The existence of a password more or less translates as "authorized personnel only". Being able to pick the lock doesn't equate to permission to enter.

    4. Re:hacking by Opportunist · · Score: 1

      Here's a phone, call someone who cares.

      Legal or illegal means jack if there is no way to even detect it.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:hacking by Bert64 · · Score: 1

      But what constitutes authorization? Being given the password by whoever set it?
      In the case of a default it was set by the manufacturer, and they have given you the password in the form of documentation.

      --
      http://spamdecoy.net - free throwaway anonymous email - avoid spam!
    6. Re:hacking by sjames · · Score: 1

      Don't be obtuse. Authorization comes from the owner of the device or someone acting on the owner's behalf. Do you really think the locksmith is authorized to grant you access to his customer's homes?

      You may know your coworker puts his car keys in his desk drawer. Does that knowledge or the fact that it's common to do so constitute his permission to take his car for a spin?

    7. Re:hacking by tburkhol · · Score: 1

      Don't be obtuse. Authorization comes from the owner of the device or someone acting on the owner's behalf. Do you really think the locksmith is authorized to grant you access to his customer's homes?

      A default password is 'security optional.' The user has the option to change the password and restrict access, but he's also free to leave the default pw so anyone can access. Same way you're free to configure your WAP with no encryption.

      The house - data metaphor is really not a good way to talk about data security. I may be perfectly happy to have other people wander around my data. To let grandma check in on the baby from across the country, even if that means that a random person could stumble across the feed. People can "take" that data with no loss to me whatsoever and, as long as I'm careful with the data so available, little risk of harm. If a random person comes into my house, I have to clean up muddy footprints; if he takes my TV, it's no longer available to me; and he might even do physical harm to me or mine. A router password is not a house key. It's not even close.

    8. Re:hacking by Anonymous Coward · · Score: 0

      To some extent the legality of it matters.
      I don't think it should be illegal for me to monitor any radio-waves passing through my home, regardless of the nature of them.
      As long as I do that on my own no-one can really stop it, but it being illegal could lead to a situation where selling equipment that helps me decrypt certain signals is prohibited.
      I am of the opinion that if a broadcaster doesn't want me to look at their signal then they shouldn't send it through my house, it being impractical for some broadcasters isn't my problem.

      Now, it isn't entirely true that me monitoring signals can't be detected as long as I do it in my home. Say that I notice an interesting signal that obviously contains digital data. I record it to decrypt on my computer at a later time. The problem is that I might be running NewOS10 that without my knowledge reports what data I have stored to a third party. Suddenly the legality of me monitoring/decrypting those signals matters a lot, because if it is illegal law enforcement suddenly have a reason to break into my home and steal my stuff while claiming that I am a super evil cybercriminal terrorist.

    9. Re: hacking by bill_mcgonigle · · Score: 1

      I've actually been thinking of changing my open "Guest" SSID to "Password is guestaccess" and put WPA2 PSK on it, for better guest privacy. I wouldn't consider it hacking for somebody to use it. Just be careful with terminology and specificity before somebody carelessly outlaws more useful things (like the firmware that letd me do those useful things).

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    10. Re: hacking by sjames · · Score: 1

      That would be you, the owner of the device explicitly granting access to anyone who sees the SSID. No p[assword is you implicitly granting access.

    11. Re:hacking by sjames · · Score: 1

      As long as people in general tend to not realize the implications of not changing the default password, it is not an invitation to the puiblic. Not setting a password at all or telling everyone the password on the login screen or in the SSIS is an invitation to the public.

      People SHOULD change the default password but often don't realize it. Just like people SHOULD respect private property but don't always.

  3. FTC agreement with TrendNET proves to be worthless by Anonymous Coward · · Score: 0

    It is really telling that Philips, not TrendNET, was the most responsive to the security researchers. Based on the Feb 2014 agreement that TrendNET entered into with the FTC, they should already have in place a method of responding to this type of report. In fact, the FTC announcement from last year included:

    TRENDnet also is required to establish a comprehensive information security program designed to address security risks that could result in unauthorized access to or use of the company’s devices, and to protect the security, confidentiality, and integrity of information that is stored, captured, accessed, or transmitted by its devices. The company also is required to obtain third-party assessments of its security programs every two years for the next 20 years.

    So this begs the question, why isn't the comprehensive information security program required by the FTC responsive to the security researchers? Also, why didn't the third-party assessment catch this?

  4. Because the parents don't care. by Harlequin80 · · Score: 2

    This has less to do with security and more to do with the fact that people don't really care. A baby monitor is there so you can hear / see your baby and make sure it is still breathing and to see if you really do need to go into their room when they are crying. While most people would be creeped out by the idea of someone else looking at their baby on a monitor they don't really care that much. It's not like parents see baby monitors as something that stops you stealing the baby.

    1. Re:Because the parents don't care. by Anonymous Coward · · Score: 0

      Men don't care if their baby is stolen because then their woman wants to fuck them again thereafter, and women don't realize the vulnerabilities of the monitors because computer security knowledge isn't required for making websites red.

      You sound like a sensitive and caring individual.

      What other color should their websites be?

    2. Re:Because the parents don't care. by hcs_$reboot · · Score: 1

      people don't really care.

      People would care if they were aware of the security and privacy risks.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
    3. Re:Because the parents don't care. by Anonymous Coward · · Score: 0

      No, they still don't care. I've tried.

    4. Re:Because the parents don't care. by Opportunist · · Score: 1

      You see people vote and still believe this?

      People can't be assed to care. There is exactly two kinds of answers you'll get. "Oh, it can't be THAT bad or they'd outlaw that" and "But why should that happen to ME?"

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Because the parents don't care. by Harlequin80 · · Score: 2

      No I don't believe they will. What exactly are the security issues? 99% of baby monitors are pointed at a cot and show nothing more than the inside of the cot, you can't see anything else. You can't see points of entry, you can't see the rest of the room and you are unlikely to be able to identify which room you are looking at. At absolute best you MIGHT be able to see when there is no one home but you sure as hell wouldn't trust the baby monitor to hear the rest of a house.

      As for privacy they will get a shit house picture and some poor audio of a baby crying or a baby sleeping. Usually in B&W, with slow frame rates, and an IR light causing everything to look weird. Nothing else is going to be done infront of that camera. No changing of babies, no accidental shots of you in the nude, nothing.

      People don't buy baby monitors for security. That is what their door locks and motion sensors are for and a baby monitor does nothing to help someone defeat those.

    6. Re:Because the parents don't care. by h33t+l4x0r · · Score: 4, Funny

      People would care if they were aware of the security and privacy risks.

      If those babies have nothing to hide then they have nothing to worry about.

    7. Re:Because the parents don't care. by hink · · Score: 1

      I believe he is sarcastically referring to another Slashdot article where a young girl was lauded as a "coder" because she looked up CSS color codes on Google.

      --
      - speaking only for myself, as always
    8. Re:Because the parents don't care. by rhazz · · Score: 1

      People don't buy baby monitors for security.

      Agree. I have a video baby monitor and I don't really care if it's secure because the odds of someone targeting my wifi network and camera feed are low, and the impact of such a thing happening is negligible. While a few monitors have been hacked, this is not presently an issue of thousands of creepers hacking every cam they can find - we are talking about several isolated incidents. I am FAR more concerned about someone breaking into my house and being some kind of actual threat to my family, and even then I don't bother to have a functioning alarm system.

    9. Re:Because the parents don't care. by Anonymous Coward · · Score: 0

      What does being a young girl has to do with it?
      There are plenty of people on Slashdot that claims to be coders just because they can edit a document format commonly used for webpages.

    10. Re:Because the parents don't care. by hink · · Score: 1

      Because the first AC in this tiny thread cast women as only worrying about changing web site colors, not computer security. Second AC didn't get the WHOOSH of the "joke" by first AC ( I hope it was a joke, otherwise the first AC is just a loathsome troll). I was bored and pointed out where the "joke" came from. First AC seized upon the fact that the example "coder" was a girl to make the joke fit over here. Then my explanation WHOOSHED over your head.

      The article about how "anyone can code if they copy and paste from Google", is looked at with shaking heads and scorn by the traditional Slashdot crowd, because we know that creating HTML and CSS is NOT "coding". That is, it isn't "coding" when the mainstream press (and apparently the "super HTML coders" themselves) basically equate "coding" to "programming". HTML tags copied from a web page is barely equal to the skill level of a script kiddy.

      Presentation and styling of a web page is not programming, so don't even try to make that argument.

      --
      - speaking only for myself, as always
    11. Re:Because the parents don't care. by Anonymous Coward · · Score: 0

      There's also the issue of alternatives. Basically, it's like you have two options: (1) get a device that has like a .001 chance of getting hacked by someone who might then proceed to watch your baby with you, or (2) not get a device and have a .001 chance of your baby dying after it struggles for breath.

      Guess which one people care about more.

      As to the question of getting a simpler more secure device, my guess is that when news like this comes out, people are more like "they're all probably hackable at some level." They'd be right of course, even if they're a little wrong too.

      Honestly, to me the biggest value of these vulnerability studies is in their being a test case for IoT security issues, with a lot of emotional pull. Better to have this stuff play out with people watching cribs than those opening your front door.

    12. Re:Because the parents don't care. by Harlequin80 · · Score: 1

      I'm more concerned about fire than any other risk. Where I live break ins are really really rare, as is crime of any kind really, so the thing I worry about is fire. So I have extra smoke detectors fitted and I have made my eldest (5) learn how to get out if there is a fire and all the doors are locked. And that causes you to have some interesting choices. She didn't have the strength to turn the key in the dead bolt meaning she couldn't open the front door and she struggled enough with the security screen doors on the other window it gave us real concerns about her managing it in a stress situation. Fortunately her room is on the ground floor and has a full length sash window that was easy to show her how to open and get out of. Of course I may regret that when she is 15....

    13. Re:Because the parents don't care. by antdude · · Score: 1

      People care not about them though!

      --
      Ant(Dude) @ Quality Foraged Links (AQFL.net) & The Ant Farm (antfarm.ma.cx / antfarm.home.dhs.org).
    14. Re:Because the parents don't care. by Anonymous Coward · · Score: 0

      A lot of baby monitors contain pre-recorded baby noises for precisely this reason. People buy them to feel reassured.

  5. must not be an issue.. by Anonymous Coward · · Score: 0

    i don't see the internet flooded with bare boobie breastfeeding videos siphoned-off of these monitors.

    1. Re:must not be an issue.. by Opportunist · · Score: 1

      Why bother? I'm pretty sure there's plenty of people who are so desperate to be noticed that there's a page for them to post such videos themselves.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:must not be an issue.. by randalware · · Score: 1

      but you might see a rash of home burglaries.

      the same problems will be seen again with every device we use.

      poor security/quality controls practices start at the CEO

      how many car recalls have there been over a less than $5 part...

      How secure is your Windows desktop ?

      the more your car gets to be like your desktop, will your attitude change ?

      I know when my Windows desktop crashes, it rarely is running freeway speed with my family & friends in it.

      --
      This is my opinion based on what little I know and understand of the rumors and lies Thanks, Randal
  6. Analog baby monitors or CB? by havana9 · · Score: 1

    Analogue baby monitors transmit and receives on CB frequencies or nearby. So everyone with a short wave radio or a CB rig could listen, an if the propagation is strong, signals from hundreds of kilometers away could be received by the baby monitor, and every trucker nearby could eavesdrop in your home.
    Nobody cares less about this problems and buys these, because are cheap, ruggend and consumes low power.

    1. Re:Analog baby monitors or CB? by Anonymous Coward · · Score: 0

      the old audio monitors use 27 and 49 mhz frequencies that used to be used by old cordless phones (which now use 900 mhz or higher channels.. AND digital encoding.. and have for at least 15+ years).

      modern video monitors use ordinary wifi, and are basically a purpose-marketed ip camera and receiving display monitor.

    2. Re:Analog baby monitors or CB? by Anonymous Coward · · Score: 0

      I am pretty sure all truckers are into listening to sleeping or crying babies. They stopped listening to music so they hear better other peoples baby monitors as they go around.

    3. Re:Analog baby monitors or CB? by Mr+D+from+63 · · Score: 1

      Analogue baby monitors transmit and receives on CB frequencies or nearby. So everyone with a short wave radio or a CB rig could listen, an if the propagation is strong, signals from hundreds of kilometers away could be received by the baby monitor, and every trucker nearby could eavesdrop in your home. Nobody cares less about this problems and buys these, because are cheap, ruggend and consumes low power.

      Exactly. I did a motorcycle road trip with a friend years ago, with some cheap helmet to helmet communicator radios. We heard a lot of babies on that trip, and an occasional mom talking to here baby. It did not deter me from using them later when I had my own.

  7. Ouch by burbilog · · Score: 2

    Laws will happen. Just as soon as the first death is caused by a hack (or a hack gone wrong). However indirectly. That's what it takes for average people, and thus their representatives, to pay attention and figure out that something actually does matter. Then it will be a CRISIS! and we must do something NOW!

    And that's the worst part of the problem. Because they won't fix security problem, they will make it illegal to install custom rom to any wireless device.

  8. No need to worry by Anonymous Coward · · Score: 0

    NSA weirdos are watching your babies. And jerking off. A lot.

  9. A Baby And Already Compromised by Anonymous Coward · · Score: 0

    What a way to enter this world. God damn china/ruskie commies just got to do evil.

  10. Paranoia by Anonymous Coward · · Score: 0

    If you care about people listening in to your baby monitor then you probably also:

    - Have all the windows of your house blacked out.
    - Are not connected to standard utilities such as electricity, water, sewers....
    - Enter and leave the premises via a secret tunnel, in disguise.

  11. terrible by queBurro · · Score: 2

    are you saying someone could park outside my house and listen to me moan about my child kicking shit all over the walls? that's terrible.

    --
    sag
  12. I know, I don't care by Anonymous Coward · · Score: 0

    I bought a dirt cheap baby monitor. We used it for the first 3 months full time and maybe the next 3 months as needed.

    I fully suspected someone could use the signal if they were in close enough proximity. I really didn't care because the chances of someone doing that are astronomically small.

    This was not an internet enabled device. The range was barely enough to cover the house. First someone would either have to know I had a child or randomly be wardriving looking for signals. Second, if someone was looking for signals I have to expect their either some kind of pervert or want to cause harm to my baby. If they're a pervert, shame on them but they won't be seeing much because we were mostly using it for audio and most of the time the video was blocked by a physical object. If they meant to cause harm to my baby, that's where the 2nd amendment helps out. It's not like I'm leaving the baby at home and going out.

    It really wasn't a big deal. Maybe I'd care more if I was in an apartment complex in the middle of the city but I am in low crime suburbia.

  13. *chuckle* by Anonymous Coward · · Score: 0

    Just about spit my drink out.

  14. Different needs (legitimate?) by gwolf · · Score: 1

    I have a RF audio-only baby monitor. Our house is quite big, and during our twins' first ~three months, it was hard to hear them from a different room. After the fourth month (they are six months old now), we haven't bothered to connect the monitor again, as their lungs are strong enough for us to hear whatever happens.

    And yes, we mainly used our monitor to quickly go check on them, to make the distress time as small as possible.

    Now, continuously streaming a video feed of my babies over the Internet... What good would that be for? Maybe only for me to ensure a hypothetical nanny didn't abandon or mistreat them while I'm at work — But I'd have to be always on watch!

    What kind of reaction could I as a parent have were I monitoring my kids away from home? What use would this really have for my kids' safety?

    The IoT is coming, I know, and we will soon have intelligent flowerpots. The cats' litter box will tweet every time a cat goes to pee. Yay for tech!

    But sometimes there's no need at all for more intelligence in our devices. I want a baby monitor to be reliable, easy to check and fix... And not dependent on issues that might break (i.e. my Internet uplink being down for some minutes). Sometimes dumber devices are more intelligent.

    1. Re:Different needs (legitimate?) by farble1670 · · Score: 1

      Now, continuously streaming a video feed of my babies over the Internet... What good would that be for? Maybe only for me to ensure a hypothetical nanny didn't abandon or mistreat them while I'm at work

      looks like you answered your own question huh?

      — But I'd have to be always on watch!

      maybe you see them crying. and you check 10 minutes later and they are still crying. there you go.

  15. This is why... by Anonymous Coward · · Score: 0

    This is why I went with the old stand-by: audio-only baby monitor.

    Yes, the security is terrible, but as long as we kept the data to baby breathing/crying/not there, I didn't really care.

    If someone had the time to sit there and listen to my baby breath while within radio range, then I guess I just will let them hear it.

    We also removed them as soon as we could.