Risk

9/2/2015
09:45 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

Baby Monitors Expose Home -- And Business -- Networks

Researchers find major security flaws in popular networked video baby monitor products that could allow attackers to snoop on babies and businesses.

Rapid7 researchers discovered ten gaping security holes in eight different networked video baby monitors that they say could expose not only a family's privacy but ultimately the security of businesses with home workers. The flawed baby monitors represent a microcosm of inherent insecure features that come with Internet of Things (IoT) devices of all sizes, the researchers say.

"A lot of the same [security] issues are in business-focused IoT," says Mark Stanislav, senior security consultant at Rapid7, who spearheaded the new research. Seemingly benign networked devices such as nursery monitors could be used as a stepping-stone to other home network devices, namely a home worker's business data and applications, he says.

Why hack baby monitors? "It's a safety device that seems innocuous and friendly," Stanislav says, but in reality carries some classic IoT vulnerabilities that could all too easily be exploited.  

Like most consumer home IoT devices, baby monitors are basically black boxes shipped and built without security. The devices include cameras that can be commandeered to scan the entire home network, for example, he says. "It's the same risk of any IoT device in your home" being used as a stepping-stone to your office network and data, he says.

Stanislav studied networked baby monitors from six vendors, ranging in price from $55 to $260. "I really wanted to figure out if cameras of a higher price [range] were more secure or less secure," he says. The devices are vulnerable to remote attacks if they're connected to a WiFi network; otherwise, they can only be hacked via a physical attack.

It's not the first time baby monitors have been hacked by researchers, but it is the first time a wide range of them has been studied and tested closely for their security bugs and risks of compromise, he says.

Stanislav in his research found hardcoded backdoor credentials (think "admin" and "admin") in five of the devices, a privilege escalation bug in one, an authentication bypass flaw in another, an information leakage flaw in another, a direct browsing flaw in another, and a reflective, stored cross-site scripting (XSS) bug in another model.

Rapid7 so far hasn't seen signs of any widespread home IoT attack campaigns, and none of the baby monitor bugs had been fixed as of this posting. But the researchers say their report should serve as a warning of the "growing risk businesses face as their employees accumulate more of these interconnected home devices" and the lines "blur" between home and business networks.

The Philips Electronics audio/video In.Sight Wireless HD Baby Monitor B120E/37 accounted for three of the vulnerabilities Rapid7 found:  hardcoded credentials that could be used to access the local Web server and the operating system of the device; reflective and stored XSS in the cloud-based Web service used to stream video; and a flaw in the remote viewing feature that could allow an unauthorized person to see video feeds generated by the baby monitor.

"It's exposing the entire camera Web app server on the Net," Stanislav says of the bugs. "If you connect to the device and you're not the person who initiated the connection and is authorized to view it, you shouldn't" be allowed to view it, he says. "The vuln is [that it's] not requiring any authentication," he says.

Philips says it no longer manufactures the monitor and has licensed it to Gibson Innovations, which distributes the product under the Philips brand name. "Gibson Innovations is aware of the identified security vulnerabilities, and has been developing and implementing software updates for the affected discontinued version of the product. The software update is expected to be available to the general public by the first week of September 2015," a Philips spokesperson said in a statement provided to Dark Reading.

"Philips and Gibson Innovations are committed to ensuring the security and integrity of our products," the statement said. "Whilst the security vulnerabilities are a concern and are being addressed, at this time we are not aware of any consumers who have been directly affected by this issue. "

Other baby monitors found with flaws: The iBaby Labs iBaby M6 and iBaby M3S monitors; Summer Infant Zoom Baby WiFi & Internet Viewing System; Lens Laboratories Lens Peek-A-View; Gynoii's Gynoii; and TRENDnet WiFi BabyCam TV-IP743SIC. 

The iBaby M3S's hardcoded credentials are "admin" for the login, and "admin" as the password. Stanislav also found what he describes as a "critical" flaw in the playback video feature of the iBaby monitors. "The actual [web] page showing file names is not protected for the individual camera owner," he says. "It shows the file names on the public site. So as long as you know a file name, you can now download the video. It [also] lets one person with any account write a script to download every video from other [customers'] camera recordings. There is no authentication."

Stanislav today will present his findings at the High Technology Crime Investigation Association conference in Orlando, Fla. 

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
9/2/2015 | 11:57:38 AM
Re: Privacy Concerns
Yes--devices that were designed for peace of mind, security end up being a security risk. Same as with many home automation/security systems.
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
9/2/2015 | 11:53:33 AM
Privacy Concerns
Unfortunately, the desired functionality gained as represents its inherent flaw. Its amazing how with the IoT developing more and more of a footprint how security is not ingrained from the beginning. It's not a new premise.
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.