Only at Defcon. There was a session on hacking baby monitors. When my kids were little, a baby monitor would allow me to listen to my baby from at most a hundred feet away. Now baby monitors allow me to see and listen to my baby from anywhere on the planet where I have a smart phone and an internet connection. Not only that, but I can talk to my baby using that same software on my smartphone.
It seems to me that the old fashioned baby monitor was safer and apparently, it was.
We have already seen cases where pervs have looped into those baby monitors and watched mom and/or dad and baby and in some cases, even talked to the baby. Think about what someone might see. That’s creepy.
When your security cameras are outside your house then I am less concerned about someone watching those cameras – and, yes, I know, there are plenty of problems with that scenario.
When the security camera is inside your house, you have a whole different problem.
In addition, if the monitors are vulnerable, potentially, so are any other computers on the same network in your house.
Some of the baby monitors had hard coded userids and passwords (and even if they don’t, many people won’t change the default password.
Others had web servers in the camera that were vulnerable.
Still others allowed for non encrypted transmission of the traffic.
And, others had public web sites that broker access to your camera that were vulnerable.
All of the vendors were notified as was the CERT.
One vendor, Phillips, quickly provided a timeline for a fix (September 4) even though they no longer are responsible for these devices – they are being managed by Gibson Innovations.
Likely other vendors aren’t going to respond as quickly or positively.
More importantly, how many parents will patch their baby monitors – if they even have a clue for how to do that. How do you know that you need to patch your baby monitor? I bet many monitors are not designed to allow parents to patch the code at all.
Assuming Internet of Things vendors don’t want to get dragged into messy lawsuits, they better start thinking about how they are going to patch the millions or billions of IoT devices that will be out there in the upcoming decades.
And, they will need to patch them for years. Just because you came out with a new model next year does not mean that you don’t need to patch the old model any more.
I suspect that plaintiffs lawyers are going to use product liability and lemon laws against vendors that do not fix security holes quickly and without complaining.
Something to ponder whether you are buying or selling IoT devices.
Information for this post came from Rapid7.