Despite Reports of Hacking, Baby Monitors Remain Woefully Insecure

itwbennett writes: Researchers from security firm Rapid7 have found serious vulnerabilities in nine video baby monitors from various manufacturers. Among them: Hidden and hard-coded credentials providing local and remote access over services like SSH or Telnet; unencrypted video streams sent to the user's mobile phone; unencrypted Web and mobile application functions and unprotected API keys and credentials; and other vulnerabilities that could allow attackers to abuse the devices, according to a white paper released Tuesday. Rapid7 reported the issues it found to the affected manufacturers and to US-CERT back in July, but many vulnerabilities remain unpatched.

Marketplace Justice

[eyepeepackets]

Would be nice if there were an organization like UL Underwriters for network security, call it Network Underwriters Themed, Security Assured Credentials -- NUTSAC for short.

Silliness aside, until manufacturers have to pay the price in the marketplace for their crappy wares, they won't bother to do it right.
--
Everything in the Universe sucks: It's the law!

Re:Marketplace Justice

[luvirini]

The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.

Thus in the future with IoT, we will soon see a lot of stuff, the current small scale thing is just the beginning.

In the long run I expect there will be laws and liabilities, but that is still a long way off at this point.

Re:Marketplace Justice

[tlhIngan]

The problem is that most people do not think about security and thus will not demand that in products. So the market place will not demand such.

Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.

The problem is the consumer doesn't know how easy it is for someone that is not them to access their camera. And you'll see immediate change because it's all about the kids.

What needs to happen is media attention

Re:Marketplace Justice

[ShanghaiBill]

Until someone manages to get on TV and show how easy it is to spy on children that way

Well, I know that I stay awake at night worrying that the neighbors are watching my kids sleep. That is a parent's worst nightmare.

Re:Marketplace Justice

[Mashiki]

Until someone manages to get on TV and show how easy it is to spy on children that way, then you'll see consumers demanding security.

Doesn't seem to have happened, News articles are already popping up over it, and nothing is going on. It'll likely take either a very serious case(death, kidnapping, etc) to happen, or government regulators stepping in and requiring proper security certification on networked devices. I expect that if there's even a hint of that happening a self-regulating body will suddenly spring into existence by said companies though.

Re:Marketplace Justice

[clicker666]

One of the "features" of some of these new cameras is that they stream back to a remote website. You then log onto that website to view the video. I have a security camera that you access via a Chinese website. In addition, the software is always detected as malware. Nothing sketchy there lol. I just use the camera for monitoring my parking area and utilize its local SD card storage, so no network needed.

Re:hacking

[luvirini]

Correct.

But the logging in with default passwords is. Even though the person that did not change the password is stupid, it is still cracking to take advantage of that stupidity.

Because the parents don't care.

[Harlequin80]

This has less to do with security and more to do with the fact that people don't really care. A baby monitor is there so you can hear / see your baby and make sure it is still breathing and to see if you really do need to go into their room when they are crying. While most people would be creeped out by the idea of someone else looking at their baby on a monitor they don't really care that much. It's not like parents see baby monitors as something that stops you stealing the baby.

Re:Because the parents don't care.

[Harlequin80]

No I don't believe they will. What exactly are the security issues? 99% of baby monitors are pointed at a cot and show nothing more than the inside of the cot, you can't see anything else. You can't see points of entry, you can't see the rest of the room and you are unlikely to be able to identify which room you are looking at. At absolute best you MIGHT be able to see when there is no one home but you sure as hell wouldn't trust the baby monitor to hear the rest of a house.

As for privacy they will get a shit house picture and some poor audio of a baby crying or a baby sleeping. Usually in B&W, with slow frame rates, and an IR light causing everything to look weird. Nothing else is going to be done infront of that camera. No changing of babies, no accidental shots of you in the nude, nothing.

People don't buy baby monitors for security. That is what their door locks and motion sensors are for and a baby monitor does nothing to help someone defeat those.

Re:Because the parents don't care.

[h33t+l4x0r]

People would care if they were aware of the security and privacy risks.

If those babies have nothing to hide then they have nothing to worry about.

Ouch

[burbilog]

Laws will happen. Just as soon as the first death is caused by a hack (or a hack gone wrong). However indirectly. That's what it takes for average people, and thus their representatives, to pay attention and figure out that something actually does matter. Then it will be a CRISIS! and we must do something NOW!

And that's the worst part of the problem. Because they won't fix security problem, they will make it illegal to install custom rom to any wireless device.

terrible

[queBurro]

are you saying someone could park outside my house and listen to me moan about my child kicking shit all over the walls? that's terrible.