Baby monitor hack shows danger of default passwords

Summary:ABC News ran a story of a hacked baby monitor for the visceral fear it provokes. A more useful interpretation of the events is to warn of the dangers of default passwords.

ABC News is reporting a story of a family in Houston, TX whose baby monitor was hacked. See the embedded video of the story below.

The story describes how the camera began emitting an unknown voice which spoke abusively to the children.  The parents expressed relief that the 2-year-old girl in whose room the camera was located is deaf, so she didn't hear the perpetrator yell obscenities at the child.

The ABC News story does not provide a make or model of the camera, nor any details of how it was compromised, but it's not hard to guess. It's unfortunate that the story did not take the next logical step to ask how this happened and how it could be prevented. Instead it paints the attacker as mysterious and powerful, if still a jerk.

The camera is clearly a Wi-Fi device based on the images in the story and almost certainly comes with a default username and password. Anyone on the Internet could easily build a scanner for devices on the default port for the camera and test the camera client software to see if the device opens with the default credentials. This is almost certainly what happened.

The camera itself, based on the images in the story, appears to be a Foscam FI9821P.  As detailed in the product FAQ, the default username and password are both 'admin' and default HTTP port is 8090. The software is downloadable.

For those who want to go to the trouble of changing the default security settings, the device supports WPA2 which, with a non-trivial password, would make the device far more difficult to access, and probably too much trouble to bother with. If you want to go even further and make it really hard for attackers, you can change the default port.

Default passwords are still a significant problem and attack vector. Products designed for professionals, like server software, are more likely these days to force (or at least urge) the user to change the default credentials. Vendors of consumer products are more hesitant to do so, fearing that making the product more difficult to use will leave a bad impression on the customer and result in expensive support calls.

This list of default passwords for routers and access points is several years old, but still useful. If you're looking for a particular device, the information is almost certainly available from the vendor's web site.

Topics: Security, Wi-Fi

About

Larry Seltzer has long been a recognized expert in technology, with a focus on mobile technology and security in recent years. He was most recently Editorial Director of BYTE, Dark Reading and Network Computing at UBM Tech. Prior to that he spent over a decade consulting and writing on technology subjects, primarily in the area of sec... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.