Panic in the Nursery: Research finds Baby Monitors make Easy Targets

Philips InSight wireless baby monitors were among those found to contain serious, remotely exploitable vulnerabilities, according to Rapid7 researchers.
Philips InSight wireless baby monitors were among those found to contain serious, remotely exploitable vulnerabilities, according to Rapid7 researchers.

In-brief: Researchers from the security firm Rapid7 revealed the findings of a survey of common wireless baby monitors and nanny-cams, and found a host of serious and, in some cases, remotely exploitable vulnerabilities.

More than two years after news first broke about hacks of wireless baby monitors, you would think that makers of similar products would have taken the queue and shored up security for the devices they sold to the public. But you would be wrong.

Researchers from the security firm Rapid7 revealed the findings of a survey of common wireless baby monitors and nanny-cams, and found a host of serious and, in some cases, remotely exploitable vulnerabilities in products from six vendors including electronics giant Philips. Cameras by Philips, iBaby, Summer Infant, Gyonii, Lens Peek-a-View and TRENDNet were all found to contain serious vulnerabilities. Five out of ten of the vulnerabilities could give outsiders the ability to take control of the camera and peer in on residents.

Rapid7 Senior Researcher Mark Stanislav will discuss wireless baby monitors at the Security of Things Forum in Cambridge on Sept. 10. Click the image above to register and take advantage of a 25% discount for Security Ledger readers!
Rapid7’s Mark Stanislav will discuss wireless baby monitors at the Security of Things Forum in Cambridge on Sept. 10. Click the image above to register and take advantage of a 25% discount for Security Ledger readers!

The Rapid7 work represents what is believed to be the first systematic study of baby monitors or “nanny cams” – a wildly popular category of consumer electronic that allows owners to remotely access and control an in-home camera using a mobile or desktop application: pivoting, zooming in or panning out and so on.

In a post on Rapid7’s blog, Security Research Manager Tod Beardsley detailed ten vulnerabilities discovered in the course of the research. They describe a wide range of serious security holes discovered on the baby monitors and, just as often, in web services used to support deployed cameras. All have been reported to the respective vendors which, in a couple of cases, have issued software updates to address the security issues in question.

Among the most serious of the flaws are three instances of so-called “back door credentials” hidden, administrative accounts that ship with each device. An attacker who knew of the existence of the credentials could, in theory, get access to and take control of the vulnerable monitor.

For example, the iBaby M6 product has what is described as a “predictable public information leak” vulnerability (CVE-2015-2886) in the ibabycloud.com web service, which is used to support and manage deployed cameras. According to Rapid7 researchers, any authenticated user to the ibabycloud.com service is able to view camera details for any other user, including video recording details, due to a vulnerability that allows anyone to plug in a valid objectID for a camera – a unique value that consists of  eight hexadecimal characters, corresponding with the serial number for the device.

A would be attacker could simply enumerate all possible object ID values and use them to access deployed cameras, the researchers wrote. Once an attacker is able to view an account’s details, a knowledgeable attacker could also use information accessible via the web interface to view videos stored on Amazon Web Services that were created as motion “alerts” from that camera without further authentication.

Philips Electronics In.Sight B120/37 wireless baby monitor is another wireless baby monitor that was found to have problems typical of the group. The device ships with hardcoded and statically generated credentials for accessing both the device’s operating system and – for users on the same network as the device – local web services that can be used to access management features or live video feeds, according to a vulnerability note (CVE-2015-2882).

The InSight camera underscores many of the challenges facing makers of modern, connected products for use in the home. One set of hard-coded credentials for the device operating system, the username “admin” and password “mg3500,” appear to be inherited from stock firmware used on other Philips.

The vendor Summer Infant’s Summer Baby Zoom WiFi Monitor & Internet Viewing System
was another camera with a vulnerable management back-end. Rapid7 said that the camera’s MySnapCam web portal, which provides account management features, is vulnerable to an account bypass attack that would allow an attacker who had a valid camera ID value to use a URL retrievable via an HTTP GET request to add a new user to the camera without any authentication. Once a new user is added, authentication details for the MySnapCam web site and mobile application would be mailed to an address provided by the attacker, but other camera administrators would not be notified of the new account.

Other cameras exhibited weak internal controls: letting lower privileged users access administrative features with nothing more than a correct URL, for example.

This isn’t the first time that connected home products, including surveillance cameras, have been singled out for lax security. There have been repeated, harrowing incidents in the last two years from owners of wireless baby monitors who reported their devices being compromised by remote attackers who used their access to speak to their children – in one case shouting obscenities over the monitor and in the other yelling “Baby, Wake Up!” to a sleeping infant in room outfitted with a wireless monitor.

Research in related areas has also turned up lax security practices. Researcher Mike Davis of the firm IOActive researched the Belkin WeMo home automation products and found the “devices expose users to several potentially costly threats, from home fires with possible tragic consequences down to the simple waste of electricity.” Among the problems: flawed use of encryption technologies. WeMo devices shipped with both private and public encryption keys stored on the on devices and failed to validate SSL certificates used to authenticate inbound communications to the device, Davis discovered.

In fact, one vendor on Rapid7’s list of wireless baby camera makers, TRENDnet, has already run afoul of regulators. In 2014, the US Federal Trade Commission (FTC) approved a settlement with that Torrance, California firm stemming from a 2012 case concerning lax security features in its line of SecurView cameras. Those cameras were found to be poorly secured against external attackers, who could access them and use them to spy on the homes and private lives of hundreds of consumers. Three years later, Rapid7 found that TRENDnet’s WiFI Baby Cam ships with hardcoded credentials, accessible via a UART interface, that could give local, root-level operating system access to a malicious attacker who had physical access to the device.

Vulnerabilities were disclosed to the vendors in early July. At the time of publication, all vendors had acknowledged receipt of the researchers’ findings, but none had issued patches or other software fixes to address the security incidents, Rapid7 said.

The problems aren’t specific to baby monitors, but are characteristic of Internet of Things problems in general, Beardsley wrote in the blog.

3 Comments

  1. Pingback: The Internet of Things is entering a Post-Recall Reality | The Security Ledger

  2. Pingback: Study: Serious Web Security Flaws Rampant on Embedded Devices | The Security Ledger

  3. Pingback: Easy Baby Monitor On Cell Phone and intelligent Baby Monitor 2 Way | Duoatl.com