Several video baby monitors from six different manufacturers were under scrutiny for in-depth security testing, and the outcome was negative.
Yes, they lacked in serving basic security through their devices.
At the High Technology Crime Investigation Association (HTCIA) conference on September 2, 2015, a critical security research was made public by Rapid7 after following a disclosure policy.
A month ago, The Hacker News (THN) posted about how IoT is making the smart cities vulnerable to the technology. Similarly, this time a highly personal IoT device i.e. 'Baby Monitors' has been anticipated as a victim of hacking of such devices.
According to a 2014 Gartner's report, the IoT space is expected to be crowded with over 25 billion devices in five years, i.e. by 2020.
Reportedly, ten vulnerabilities were found in the Baby Monitoring devices and the related vendors were contacted to get their comments on how are they going to address the severe flaws residing in their products.
The newly found vulnerabilities subject to affect the baby monitors in the following manner:
- Privilege Escalation
- Backdoor Credentials
- Reflective, Stored XSS
- Predictable Information Leak
- Authentication Bypass
- Direct Browsing
- Cleartext Cloud API
To summarize the outcomes, the storage of the video recordings are not kept encrypted, the passwords are easily guessable and the communications (local as well as cloud based) do not use encrypted protocols to name a few.
The vulnerabilities are assigned CVE numbers after the vendors, and the US-CERT has been notified about the issue.
The disclosure report consists of the Vendor names (like iBaby Labs, Inc, Philips Electronics N.V. and Summer Infant, etc.), the related product/s, flaw/s associated and mitigation methods.
Only one vendor Philips N.V., responded with concern over the issues reported that were associated with their product, and assured a fix soon.
Also, you can read about the official statement regarding iBaby Labs Monitors' Security made by Elnaz Sarraf (Vice President iBaby Labs).
Written by Mark Stanislav and Tod Beardsley, Rapid7 has prepared a full fledged case study explaining the vulnerabilities and exposures related to baby monitors; leading to the hacking of the IoT devices.
The white paper depicts just one scenario of how an IoT device can pose a threat to your life. Also, it makes you aware of the security concerns arriving with the Internet of Things in future.