Baby monitor hack shows danger of default passwords

ABC News ran a story of a hacked baby monitor for the visceral fear it provokes. A more useful interpretation of the events is to warn of the dangers of default passwords.

ABC News is reporting a story of a family in Houston, TX whose baby monitor was hacked. See the embedded video of the story below.

The story describes how the camera began emitting an unknown voice which spoke abusively to the children.  The parents expressed relief that the 2-year-old girl in whose room the camera was located is deaf, so she didn't hear the perpetrator yell obscenities at the child.

The ABC News story does not provide a make or model of the camera, nor any details of how it was compromised, but it's not hard to guess. It's unfortunate that the story did not take the next logical step to ask how this happened and how it could be prevented. Instead it paints the attacker as mysterious and powerful, if still a jerk.

The camera is clearly a Wi-Fi device based on the images in the story and almost certainly comes with a default username and password. Anyone on the Internet could easily build a scanner for devices on the default port for the camera and test the camera client software to see if the device opens with the default credentials. This is almost certainly what happened.

The camera itself, based on the images in the story, appears to be a Foscam FI9821P.  As detailed in the product FAQ, the default username and password are both 'admin' and default HTTP port is 8090. The software is downloadable.

For those who want to go to the trouble of changing the default security settings, the device supports WPA2 which, with a non-trivial password, would make the device far more difficult to access, and probably too much trouble to bother with. If you want to go even further and make it really hard for attackers, you can change the default port.

Default passwords are still a significant problem and attack vector. Products designed for professionals, like server software, are more likely these days to force (or at least urge) the user to change the default credentials. Vendors of consumer products are more hesitant to do so, fearing that making the product more difficult to use will leave a bad impression on the customer and result in expensive support calls.

This list of default passwords for routers and access points is several years old, but still useful. If you're looking for a particular device, the information is almost certainly available from the vendor's web site.