NEW YORK » Several of the most popular Internet-connected baby monitors lack basic security features, making them vulnerable to even the most basic hacking attempts, according to a new report from a cybersecurity firm.
The possibility of an unknown person watching their baby’s every move is a frightening thought for many parents who have come to rely on the devices to keep an eye on their little ones. In addition, a hacked camera could provide access to other Wi-Fi-enabled devices in a person’s home.
“There’s a certain leap of faith you’re taking with your child when you use one of these.”
The research released Wednesday by Boston-based Rapid7 Inc. looks at nine baby monitors made by eight companies. They are priced from $55 to $260.
The cameras film the child, then send that video stream to a personal website or an app on a smartphone or tablet. Some cameras also feature noise or motion detectors and alert parents when the baby makes a sound or moves.
“There’s a certain leap of faith you’re taking with your child when you use one of these,” said Mark Stanislav, a senior security consultant at Rapid7 and one of the report’s authors.
The researchers found serious security problems and design flaws in all of the cameras they tested. Some had hidden, unchangeable passwords, often listed in their manuals or online, that could be used to gain access. Some devices didn’t encrypt their data streams, or some of their Web or mobile features, Stanislav says.
The problems with the cameras highlight the security risks associated with what’s become known as the “Internet of things.” Homes are becoming increasingly connected, with everything from TVs to slow cookers now featuring Wi-Fi connections. But many consumer devices often don’t undergo rigorous security testing and could be easy targets for hackers.
And if a hacker gains access to one device, he or she could potentially access everything tethered to that home’s Wi-Fi network, from a home computer storing financial information to a company’s system being accessed by an employee working from home. “And unlike a laptop where you can install firewalls and anti-malware, you can’t do that here,” Stanislav said.
Researchers rated the devices’ security on a 250-point scale, then assigned letter scores. Eight devices received an F, while one received a D. All of the camera manufacturers were notified of the problems and some have taken steps to fix them.
For example, researchers noted that the Philips In.Sight B120 baby monitor, which retails for about $78, had a direct, unencrypted connection to the Internet. That could allow a hacker to watch its video stream online, as well as remotely access the camera and change its settings, the report says.
Philips NV released a statement noting that the model in question has been discontinued. It added that its brand of video baby monitors is now licensed to Gibson Innovations, which is aware of the problems and is working on a software update designed to fix it.
Also tested were the iBaby and iBaby M3S, Summer Infant’s Summer Baby Zoom WiFi Monitor & Internet Viewing System, Lens Peek-a-View, Gynoii, TRENDnet WiFi Baby Cam TV-IP743SIC, WiFiBaby WFB2015 and Withings WBP01.
Officials for iBaby and Lens Laboratories Inc. didn’t respond to requests for comment. A spokesman for Withings said he couldn’t immediately comment.
Summer Infant said it is reviewing the report’s findings and will take any needed precautions. Gynoii said it is reaching out to Rapid7 in hopes of fixing the issues with its camera.
TRENDnet notes that physical access to its camera would be needed to exploit its security bug but it has prepared a patch and a software update will be available soon. And WiFiBaby released a statement defending its camera’s security, noting that its latest software requires users to set their own unique password when they set up their camera.