Baby monitor hack shows danger of default passwords

Baby monitor hack shows danger of default passwords

Summary: ABC News ran a story of a hacked baby monitor for the visceral fear it provokes. A more useful interpretation of the events is to warn of the dangers of default passwords.

TOPICS: Security, Wi-Fi

ABC News is reporting a story of a family in Houston, TX whose baby monitor was hacked. See the embedded video of the story below.

The story describes how the camera began emitting an unknown voice which spoke abusively to the children.  The parents expressed relief that the 2-year-old girl in whose room the camera was located is deaf, so she didn't hear the perpetrator yell obscenities at the child.

The ABC News story does not provide a make or model of the camera, nor any details of how it was compromised, but it's not hard to guess. It's unfortunate that the story did not take the next logical step to ask how this happened and how it could be prevented. Instead it paints the attacker as mysterious and powerful, if still a jerk.

The camera is clearly a Wi-Fi device based on the images in the story and almost certainly comes with a default username and password. Anyone on the Internet could easily build a scanner for devices on the default port for the camera and test the camera client software to see if the device opens with the default credentials. This is almost certainly what happened.

The camera itself, based on the images in the story, appears to be a Foscam FI9821P.  As detailed in the product FAQ, the default username and password are both 'admin' and default HTTP port is 8090. The software is downloadable.

For those who want to go to the trouble of changing the default security settings, the device supports WPA2 which, with a non-trivial password, would make the device far more difficult to access, and probably too much trouble to bother with. If you want to go even further and make it really hard for attackers, you can change the default port.

Default passwords are still a significant problem and attack vector. Products designed for professionals, like server software, are more likely these days to force (or at least urge) the user to change the default credentials. Vendors of consumer products are more hesitant to do so, fearing that making the product more difficult to use will leave a bad impression on the customer and result in expensive support calls.

This list of default passwords for routers and access points is several years old, but still useful. If you're looking for a particular device, the information is almost certainly available from the vendor's web site.

Topics: Security, Wi-Fi

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Poor design is at fault

    To me using wifi is not very smart in the first place. The company should provide a way to block the http port access from the internet.

    Remember technology is developed by people who do not have the moral ability to discern the ramification of the technology they are designing. The design web pages and devices ignorant that such dives can fall into the wrong hands.
    • it's open by design

      These products are designed to be externally accessible from the Internet so that, for instance, parents can check on their kids from work. It's not a bad idea as long as the device gets a good password.
  • This is *NOT* a baby monitor

    Sorry folks, but that camera is certainly NOT a "baby monitor". It is a WiFi enabled webcam. Nothing more, nothing less. If some dumbass in Texas used it as a baby monitor and didn't secure it with either WEP or WPA2, and kept the defaults, then little wonder why this WEBCAM got hacked.

    Lets get the story straight folks, and not scare the living crap out of everyone who wants to buy a monitor from Fisher Price, thinking a real baby monitor will get hacked.
    James S. Williams
    • Huh?

      What's the difference between a webcam and an Internet-accessible baby monitor?