Baby Monitor Hacked – Sorta
The news is reporting that a nanny in Houston said that she heard voices coming from the baby monitor while she was changing her baby’s diaper last week.
Apparently, someone was watching them and talking to them over the built in speaker in the baby monitor. That speaker is designed so that the parents, using a smart phone, can talk to the baby if they are not there (I assume that they are not leaving the baby alone – that there is someone watching the baby – just not them).
Here is the rub and I have certainly spoken about this before. I know that security is a pain, but if you don’t want someone watching you while you are having “mommy and daddy time” then (a) don’t have a camera where you are doing it and (b) follow decent security practices.
So what else does the article say?
- The camera was not password protected – I have never heard of a home security camera that does not allow for a password. This one, from the pictures in the news, looked like a relatively high end consumer camera, so I am sure that it supported a password.
- The camera, from the pictures on the news, was wireless, so the combination of wireless access and no password is probably not a great parenting choice. Whether the mother was breastfeeding while the perp was watching was not disclosed.
- The family had wifi in the house. That connection was password protected, however if the perp was within range of the camera’s wifi, the fact that the house wifi was password protected would be irrelevant. The news did not disclose what the password on the home wifi was, but given the camera had no password, maybe the house wifi had the default password. These are usually difficult to guess – like admin or password or possibly Password . For any given manufacturer, you can find the manual on the Internet and in the manual is the default password.
There are search engines like Shodan (www.shodan.io) that will allow you to search for web cams. You can even specify which brand of camera you are interested in. It will give you a list. No password and poof, you are on the list.
Or the perp could be driving around the neighborhood looking for open wifi cams. Sounds like if he did that, he would have no problem here.
So, if you are going to use wireless technology, whether it is a camera or an access point, you MUST do some basic stuff. Make sure that it is patched. Make sure that it is password protected. And don’t make your password 123456. If you are making the device available on the internet through one of the many camera sharing web sites, make sure your credentials for that site are not easy to guess.
This is no different from any other password situation.
You, the user, have to make good choices. There is nothing that the manufacturer or Internet service provider can do other than suggest you make good choices. You bought the camera; now make good choices.
One other thing I want to point out. Maybe you are an exhibitionist and are ok with some creeper watching you and your kids. Remember, that camera is on the same network as all the other devices that you have in your house (unless you are like me and that is a whole other blog post). If the camera is compromised then, potentially, every other device in the house can be compromised. That is how both the Target and Home Depot attacks started.
Mitch