A research firm says the security flaws it found in more than half a dozen baby monitors show what a hacker playground the Internet of Things is becoming.
Rapid7, a Boston security data analytics company, said that it has found 10 vulnerabilities in six different companies’ popular baby monitors, the gadgets that let parents use their smartphones or branded devices check on their sleeping baby.
There may not be that many hackers interested in watching babies on their own phones, but Rapid7 says the flaws illustrate how shaky security is in the growing Internet of Things. Since many homes double as second workplaces, the vulnerabilities of devices like baby monitors could expose employers’ networks to hacking, the company said in the report.
Many IoT devices are “insecure by default,” wrote the authors, Mark Stanislav and Tod Beardsley. They said only one baby monitor vendor, Philips, responded with a timeline for fixing the vulnerability Rapid7 identified.
“IoT devices, unlike traditional computers, often lack a reasonable update and upgrade path once the devices leave the manufacturer’s warehouse,” the report said, and the network they’re connected to is rarely used to deliver security patches. The lack of a “safe patch pipeline” is a serious problem for the IoT, it added.
“A sub-one hundred dollar video baby monitor, a five hundred dollar smart phone, a thirty-five-thousand dollar connected car and a four hundred million dollar jet liner are all difficult to patch, even when vulnerabilities are identified, known and a fix is in hand,” the report said.
The baby monitors examined in the study were iBaby M6 and M3S; Philips In.Sight B120/37; Summer BabyZoom; Lens Peek-a-View; Gynoii, and TRENDnet WiFi Baby Cam.
iBaby spokeswoman Elnaz Serraf said that “the issues have already been resolved and updated.” Among other things, the data communication between apps and the cloud have been encrypted and a secure browser (https) has been enabled for communication between apps and Amazon Web Services, Serraf said in an email.
A spokesman for Gynoii said that Rapid7 was trying to guess the correct password, but even to do that it would first have to pass through a router’s firewall. Nevertheless,the spokesman said Gynoii will contact Rapid7 “and leverage their advance knowledge on this field to see if we could co-work a resolution for this market.”
TRENDnet said that its security team found that for someone to exploit the security bug they would have to have physical access to the camera to rewire the circuit board. The company said it has been “working tirelessly” to find a solution and has prepared a patch. “A firmware update will be available shortly,” a spokeswoman said.
Philips told Rapid7 the the tested device was discontinued in 2013 and the current manufacturer and distributor is Gibson Innovations. Gibson has developed a solution and will make updates by Sept. 4.
Summer Infant said it has resolved the issue. “We take all matters of privacy seriously, and will continue to ensure the highest level of security for our customers.” the company said in a statement.
Lens has not yet responded to a request for comment.
Photo of iBaby monitors mentioned in the report courtesy of iBaby Labs.