• United States



Baby monitor hack highlights manufacturers’ security shortfalls

Aug 15, 20134 mins
Application SecurityData and Information SecurityGovernment

In addition to lax passwords, manufacturer lacks a effective way to get its patches and updates out to customers.

The frightening experience of a Texas couple who discovered their toddler’s baby monitor had been hacked by an apparently demented man showcases the serious security lapses in consumer electronics, experts say.

Researchers have repeatedly documented the security flaws in Internet-connected video cameras. But for Marc and Lauren Gilbert of Houston, academic findings became reality when they heard the creepy voice of a vulgar man calling their sleeping 2-year-old daughter Allyson an “effing moron” and telling her to “wake up you little slut,” ABC News reported.

The intruder, who apparently had taken control of the Foscam-manufactured camera in the child’s room, turned his attention to the Gilberts when they entered after hearing strange noises from the kitchen. The man shouted expletives and called Gilbert a stupid moron and his wife a b—-, ABC said.

How the man broke into the device through the Internet is not known, but vulnerabilities in wireless IP cameras manufactured under the Foscam brand are well known.

Two researchers from security vendor Qualys reported in April that they could easily find the Internet-connected cameras on the Web using the Shodan search engine. They then discovered that breaking in through the devices’ Web interfaces was not difficult.

Among the serious security lapses they found was allowing users to login with the default “admin” user name and no password, PCWorld reported. (This flaw was found in roughly 20 percent of the cameras studied.

Foscam did not return a call or email requesting comment.

Artem Harutyunyan, a researcher in the Qualys study, said Wednesday the manufacturer was quick in releasing patches for vulnerabilities as they were discovered by Harutyunyan and his partner, Sergey Shekyan.

“They were pretty quick in rolling out updates and patching the vulnerabilities as they came in,” Harutyunyan told CSOonline.

[Also see: Smart TV hack highlights risk of ‘The Internet of Everything’]

What the manufacturer lacked was an effective way to get the patches and updates out to customers.

“There are no automatic updating or alerting mechanisms in the camera,” Harutyunyan said.

Foscam did not place an urgent notice that critical patches were available on its homepage, the BBC reported. However, the company did publicize the fixes in a blog post and in an email sent to people who signed up for the company’s firmware update newsletter.

One logical place where an alert could have been placed is in the web interface customers use to watch and listen to their children, Harutyunyan said. That was not done.

“It shouldn’t be very hard to introduce a change in their code, so whenever there is a new version (of software or firmware), you get an alert on the camera’s Web page,” he said.

Dropping the ball in getting software patches and firmware updates to customers is not unique to Foscam, which also sells its cameras to companies that resell the products under their own brands. Consumer electronic companies in general do a poor job at protecting users from security lapses.

The reason is a lack of awareness about the implications of poor security, experts say. At the same time, manufacturers are rushing to get products on the Internet in order to offer unique services, a trend often referred to as the “Internet of Things.”

“On the one level this is a gee-whiz wonderful technological advance, but as often is the case not enough thought has been given to privacy implications of the technology or some of the security implications,” said John M. Simpson, director of the privacy project for Consumer Watchdog.

Consumer electronics companies, as well as many other hardware manufacturers, “very rarely” consider security at the design process, said Matthew Neely, director of research and development for consulting company SecureState.

“A lot of these companies just don’t think about (security) when they release a product,” Neely said. “They want to get it out the door quick and cheap.”

Manufacturers have gotten away with shoddy security because customers have yet to make it a feature they look for when buying a product.

“I thinks it’s going to take a few more incidents like this to wake people up,” Simpson said.

In the meantime, the Federal Trade Commission (FTC) plans to hold a public workshop in November in Washington, D.C., to discuss privacy and security issues from the growing number of Internet-connected cars, appliances and medical devices.