Tag Archives: Baby monitor

Baby Monitor Takes Compromising Pictures of Mom

A 24 year old South Carolina mom, Jamie Summitt, got a rather rude lesson in cyber security.  She purchased a “smart” baby monitor that she could watch from her equally smart phone, only to wake up one day to find the baby monitor pointed at her.

She didn’t think much about that until she watched the camera move on its own to the spot where she breast feeds her 3 month old.

The camera, a very low end $34 camera from FREDI claims that it has NO RISK of PERSONAL INFORMATION and lifetime technical support.

When she and her husband were eating dinner together while the baby slept, her phone alerted her that the camera was moving.  That prompted an Oh (fill in the blank) moment.  Clearly they were not moving the camera.

Remember that consumers are not security experts and expecting to be so is doomed to failure.

To those of us in the security industry, this is not news, the hacking of baby monitors being a well worn road.  Since manufacturers are not liable for the security of their products, they choose not to spend money on something that doesn’t generate revenue.

She unplugged the camera and called the police, but when the police arrived and plugged the camera in again, the peeping Tom had actually locked them out of their own camera – likely having heard the conversation with the police.

She contacted Amazon, who pointed her to the manufacturer.  The lifetime tech support number was disconnected and they did not respond to email.  No surprise here.

I wrote a long time about about the tests that Rapid 7 did on baby monitor security and almost all of them got an F.

So what should you do?

The first thing to do is your own research on the security of whatever baby monitor you are considering purchasing.

See if your chosen vendor offers security patches to their monitors in the past.  No patches likely does not mean a secure product – just one that the vendor doesn’t care about after the sale.

Next, change the default password and make the new password something that is complex.  And hard to guess.

But another simple and low tech thing to do is…

Get an old ski cap and drop it over the camera when you are home. Or at least when you are in the room.  Take it off when you leave and put it back on when you come back.

At least that way the only thing the peeping Tom will see is your (hopefully) sleeping baby.

And not you in a compromising state of undress.

 

Information for this post came from CSO Online.

Facebooktwitterredditlinkedinmailby feather

Internet of Things – A Security Nightmare

As I have said before, the Internet of Things is going to be a bit of a security ‘challenge’.   Here is just one simple example.

The security company Rapid7 analyzed a number of home video baby monitors.  You know, the kind where you can put a monitor in the bedroom and you or the baby’s grandparents can watch little Sammie from half way around the planet.  Well, 10 out of 10 failed the security test.

My curiosity got peaked after a story was posted about this guy who bought one of these monitors on Amazon but then returned it.  He had, however, already installed the software on his phone and a few days after he returned it, he started getting email alerts from the monitor.  Curiosity got the best of him too, so he opened the software and lo and behold, he was looking into someone’s bedroom and things most people don’t want displayed on the Internet.  Apparently, the vendor had no security, by default.

What are some of the key takeaways from the paper?

  1. It is important to stress that most of the vulnerabilities and exposures discussed in this paper are trivial to exploit by a reasonably competent attacker, especially in the context of a focused campaign against company officers or other key business personnel.
  2. “Finally, this paper also discusses the insecure-by-default problems inherent in the design of IoT devices, the difficulty for vendors to develop and deliver patches, the difficulties end-users face in learning about, acquiring and applying patches once developed and the friction involved in reporting issues to vendors in a way that is beneficial to end-users.”
  3. “IoT devices are actually general purpose, networked computers in disguise, running reasonably complex network-capable software.  In the field of software engineering, it is generally believed that such complex software is going to ship with exploitable bugs and implementation-based exposures.”
  4. The presence of devices that are insecure by default, difficult to patch, and impossible to directly monitor by today’s standard corporate IT security practices constitutes not only a threat to the IoT device and its data, but also to the network to which it is connected.”  … Today, employees’ home networks are rarely, if ever, “in scope” for organizational penetration testing exercises, nor are they subject to centralized vulnerability scanners.

Before you say that you don’t have any baby monitors in your office, think about this.  Many employees work from home – either at night or on a regular basis.  That baby monitor is on the same WiFi connection as your corporate laptop.  The baby monitor is a reasonably sophisticated networked computer.  Your employee’s home network is likely no where near as well protected as most corporate networks.  Just connect the dots.

While some hacking is targeted, most hackers just troll to see what they can find.  Just like Target was breached by a small refrigeration maintenance company, your company could be hacked by a rogue baby monitor.

Information for this post came from Rapid7.

Facebooktwitterredditlinkedinmailby feather

Cop Accused Of Spying On Breastfeeding Mom

A Michigan woman is suing a police officer who used the baby monitor app on her fiance’s cell phone that he confiscated when the fiance was arrested, to spy on her while she was nude and breastfeeding her son.

Note that nothing has been proved yet, so this is only claims and allegations, but it points to a whole new series of issues, concerns and challenges that we didn’t even have to think about just a few years ago.  A few years ago, baby monitors only let you hear, not see and at most, you were worried about the sound being heard by your neighbor on their radio, because that was a far as it could possibly reach.  This is not really a story about a baby monitor, but rather about how technology is changing our lives and shaping what are kids are going to deal with.  These challenges will not end in our lifetime or even our kid’s lifetimes.  People will need to consider and deal with a whole new set of issues that were not possible before.

The woman in the lawsuit first noticed that the LED on the baby monitor was flashing while she was breastfeeding her son and given that her fiance wasn’t using it, that meant someone else was.

Later that night she saw the light flashing again and realized that someone was watching her again and when she reacted, the light stopped flashing.

WARNING:  Just because the light is not flashing does not mean that you are safe.  It is certainly possible that the baby monitor could be hacked to operate without turning on the LED. We have seen many demonstrations of this on phones.  But, certainly, if the light is flashing, it is likely that someone is looking.  Not all monitors have a feature like that.

The lady then used the “find my iPhone” feature and found that the phone was located in the Hazel Park, Michigan home of police officer Michael Emmi.

The police chief seems to be siding with the police officer, so this may all play out in court.  Or, it may be settled out of court. To me, if true, the find my iPhone locating the phone at the house of the police officer is a bit of a red flag.  You don’t take evidence home as a general rule.

There are several things that come to mind as a result of this incident:

  1. Put a strong password on your phone.
  2. Do NOT unlock it just because a police officer asks.  Consult with your attorney.  As a general rule, in the most cooperative case, you want the police to get a warrant and you want the judge to limit what they can look for.  If possible, you would like your attorney present while they rummage through the phone.  They are likely going to take an image of the phone when they unlock it and you want to the court to specify how they need to protect the data if they do that.
  3. If there are adult images on the phone (as opposed to the guy with the child porn in an earlier post), fess up to that to your attorney.  The attorney may be able to get the court to require that those images be deleted prior to imaging – or at least protected – since they are likely not to be relevant.
  4. If you have been texting adult images, you are likely S.O.L. since the cops can get those texts with a warrant from the carrier.
  5. Some secure messaging services require a separate password to start the app, but if you tell the app to save the password, then that does not help.  SECURITY. CONVENIENCE.  PICK ONE AND ONLY ONE.  Consider what you are using the phone for, your level of concern and then make choices you can live with.
  6. This does not only affect YOUR phone.  In this case, it was not the woman’s phone, it was her boyfriend’s phone.  We have seen many cases of schools confiscating kids phones and searching them.  I am sure that there are “inappropriate” images on many kids phones, especially the older kids.  This means you need to train your entire family.
  7. Most courts (with the one I reported on recently being an exception and that is being appealed), will not require you to divulge your password.  Fingerprints yes, passwords no.  Your attorney may be able to negotiate some form of immunity for unlocking your phone if you are a small fish in the police’s mind.
  8. Some phones can be remotely wiped.  I have no idea if this is legal if the phone has been confiscated.  Protocol should require the phone to be place in a shielded bag and sealed to stop anyone from remotely wiping it , but I doubt all police departments do that.  If the phone is in a bag or powered off, the remote wipe won’t work, but it may automatically wipe it when the phone comes back online.

There is an ongoing tension between people’s privacy and law enforcement’s need to investigate crimes.  In this case, the phone was confiscated from someone who was arrested on marijuana charges.  I gather, although it doesn’t say so, that the crime was not smoking a joint, it was something more serious.  If you don’t want the cops searching your phone, the first thing you might want to consider is not growing or selling illegal drugs.

All of this just points to the fact that our world is changing as tech becomes an integrated part of our lives and the law is going to have to adjust.

This is just my two cents – remember, I am not a lawyer and do not play one on the Internet.

Information for this post came from the Detroit Free Press.

Facebooktwitterredditlinkedinmailby feather