Smart baby monitor vulnerability lets strangers watch your kids from afar
Security researchers have discovered a vulnerability in a popular video baby monitor, which could allow strangers to view footage from its camera, and even take control of the device remotely.
One the face of it, a smart baby monitor seems like a great idea for new parent, allowing them to keep an eye on their kids using a smartphone app. Unfortunately, if security measures aren’t implemented properly, they can be a serious privacy risk.
Experts from Bitdefender (in collaboration with PCMag) discovered a severe vulnerability with the iBaby Monitor M6S, which lets third parties access stored files, obtain personal information, and take over the camera itself.
- Check out our guide to the best antivirus software (paid and free)
- We’ve also rounded up the best anti-malware software
- Already infected? Here’s the best malware-removal software
Diving into the device’s firmware revealed that, although the camera uses strong encryption standards, they aren’t properly implemented. The camera sends encrypted data to iBaby’s servers using HTTPS, but the security certificate isn’t validated, allowing it to be intercepted by a man-in-the-middle attack.
Who’s looking?
So just how likely is it for anyone to exploit such a weakness? Perhaps more than you’d expect.
At a security demonstration for the release of the Bitdefender Box, TechRadar saw just how easy it is to find and take remote control of a poorly secured IP camera. It’s remarkably straightforward, requiring no expert equipment and little specialist knowledge.
Many cameras are even more vulnerable than the iBaby monitor, thanks to problems like hard-coded admin logins, and firmware based on old open source code with well-publicized weaknesses.
The best way to keep yourself (and your family) safe is to buy products from known brands that will hold themselves to strict standards, and always install any firmware updates as soon as they become available.
Bitdefender has contacted iBaby for comment, but so far the company has yet to reply. We’ll update this article if it chooses to give a statement.