Baby monitor hack highlights manufacturers' security shortfalls

The frightening experience of a Texas couple who discovered their toddler's baby monitor had been hacked by an apparently demented man showcases the serious security lapses in consumer electronics, experts say.

Researchers have repeatedly documented the security flaws in Internet-connected video cameras. But for Marc and Lauren Gilbert of Houston, academic findings became reality when they heard the creepy voice of a vulgar man calling their sleeping 2-year-old daughter Allyson an "effing moron" and telling her to "wake up you little slut," ABC News reported.

The intruder, who apparently had taken control of the Foscam-manufactured camera in the child's room, turned his attention to the Gilberts when they entered after hearing strange noises from the kitchen. The man shouted expletives and called Gilbert a stupid moron and his wife a b----, ABC said.

How the man broke into the device through the Internet is not known, but vulnerabilities in wireless IP cameras manufactured under the Foscam brand are well known.

Two researchers from security vendor Qualys reported in April that they could easily find the Internet-connected cameras on the Web using the Shodan search engine. They then discovered that breaking in through the devices' Web interfaces was not difficult.

Among the serious security lapses they found was allowing users to login with the default "admin" user name and no password, PCWorld reported. (This flaw was found in roughly 20 percent of the cameras studied.

Foscam did not return a call or email requesting comment.

Artem Harutyunyan, a researcher in the Qualys study, said Wednesday the manufacturer was quick in releasing patches for vulnerabilities as they were discovered by Harutyunyan and his partner, Sergey Shekyan.

"They were pretty quick in rolling out updates and patching the vulnerabilities as they came in," Harutyunyan told CSOonline.

[Also see: Smart TV hack highlights risk of 'The Internet of Everything']

What the manufacturer lacked was an effective way to get the patches and updates out to customers.

"There are no automatic updating or alerting mechanisms in the camera," Harutyunyan said.

Foscam did not place an urgent notice that critical patches were available on its homepage, the BBC reported. However, the company did publicize the fixes in a blog post and in an email sent to people who signed up for the company's firmware update newsletter.

One logical place where an alert could have been placed is in the web interface customers use to watch and listen to their children, Harutyunyan said. That was not done.

"It shouldn't be very hard to introduce a change in their code, so whenever there is a new version (of software or firmware), you get an alert on the camera's Web page," he said.

Dropping the ball in getting software patches and firmware updates to customers is not unique to Foscam, which also sells its cameras to companies that resell the products under their own brands. Consumer electronic companies in general do a poor job at protecting users from security lapses.


The reason is a lack of awareness about the implications of poor security, experts say. At the same time, manufacturers are rushing to get products on the Internet in order to offer unique services, a trend often referred to as the "Internet of Things."

"On the one level this is a gee-whiz wonderful technological advance, but as often is the case not enough thought has been given to privacy implications of the technology or some of the security implications," said John M. Simpson, director of the privacy project for Consumer Watchdog.

Consumer electronics companies, as well as many other hardware manufacturers, "very rarely" consider security at the design process, said Matthew Neely, director of research and development for consulting company SecureState.

"A lot of these companies just don't think about (security) when they release a product," Neely said. "They want to get it out the door quick and cheap."

Manufacturers have gotten away with shoddy security because customers have yet to make it a feature they look for when buying a product.

"I thinks it's going to take a few more incidents like this to wake people up," Simpson said.

In the meantime, the Federal Trade Commission (FTC) plans to hold a public workshop in November in Washington, D.C., to discuss privacy and security issues from the growing number of Internet-connected cars, appliances and medical devices.Ã'Â

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationssecurityData Protection | Application Securityftcbaby monitor hackAccess control and authenticationsoftwaredata protection

More about ABC NetworksABC NetworksBBC Worldwide AustralasiaFederal Trade CommissionFTCQualysSmart

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place