Modern baby monitors allow parents to watch their children in their cribs, play areas, or the like; cameras film the children and stream the video feed to a specialized device, password protected website, or an app on a smartphone or tablet.
A new study, however, shows that serious security vulnerabilities exist in many popular monitor models, and that parents must exercise caution when using these types of products.
The report, written by two researches at information-security firm, Rapid7, who tested nine popular Internet-connected baby monitor products, details vulnerabilities found in every one of the products tested. Some issues were with code used on the various vendors' websites--for example, "any authenticated user... is able to view camera details for any other user." Other offerings used unchangeable, weak, publicly known passwords: "The device ships with hardcoded credentials... which grants access to the underlying operating system. Those credentials are Username: admin Password: admin," to the transmission of video streams with no encryption.
Some of the risks are quite serious: hackers can, for example, exploit the vulnerabilities to take control of the monitors' cameras and microphones and spy on people, or use the devices to read information transmitted by other computers on a user's home network. Businesses could also be vulnerable as many people have only one network at home, and, therefore, many telecommuters access corporate computer systems from the same networks to which they attach baby monitor cameras.
Making matters worse: the vulnerabilities described in the report are not difficult to exploit; as the researchers note, it would be relatively simple for a reasonably experienced hacker to leverage them for nefarious purposes.
Interestingly, spending more money to acquire a higher-end monitor may not offer better protection; according to the report, the additional features present on the more expensive models often opened the door to more security risks, rather than delivering better security.
The present study is not the first mention of security problems found in baby monitors. In the past, issues have been discovered related to products' using weak default passwords (e.g., "1234") that are the same for all camera/monitor combinations of the same make--allowing anyone who checks the default password through a simple Google search to access the feed of many other peoples' cameras. (Most people don't realize that they need to change passwords on these types of devices.) There was even a website profiled in Inc. that shared people's baby monitor feed for anyone to watch! Likewise, non-Internet-connected monitors--i.e., those that come with their own device for watching the camera feeds--have been, at times, found to transmit without encryption; neighbors could sometimes pick up each other's transmissions.
While it may be wise for those who wish to use baby monitors to purchase a unit with no known security concerns (and, in some cases, the vulnerabilities reported by Rapid7 have been, or are being, corrected by their respective manufacturers), the reality is that the it is a near certainty that some future monitor models will have vulnerabilities. As such, users of baby monitors might still want to consider the following suggestions, as to how you may protect yourself: