New security flaws found in popular IoT baby monitors

Even internet-connected baby monitors aren't immune to hacking, including some flaws that are easy to exploit.
Written by Zack Whittaker, Contributor
(Image: CNET/CBS Interactive)

Out of a list of things that can be hacked, you might put smartphones, laptops -- even televisions and cars on that list. But as for baby monitors -- you might not think twice.

Rapid7 researchers have found a slew of new vulnerabilities in nine modern and widely available baby monitors, which they say highlights the risks in the rapid expansion in similar internet-connected devices.

Affected devices

Gyonii (GCW-1010)
iBaby (M3S)
iBaby (M6)
Lens (LL-BC01W)
Philips (B120/37)
Summer (28630)
WiFiBaby (WFB2015)
Withing (WBP01)

By connecting to Wi-Fi, these so-called Internet of Things (IoT) devices allow access from wherever the owner is in the world, but on the other hand a single vulnerability that's successfully exploited can give a hacker the same access. The trouble is these devices are often so poorly secured, it takes little effort for a hacker to gain access.

A third of the devices tested had a "critical vulnerability impacting their overall security beyond simple weaknesses," said the report, released Wednesday.

Half of the devices tested contained hidden, hardcoded account credentials (both username and password were simply "admin", "user" or simply "guest") that allowed remote access to the device's software.

Two cases from the report stood out:

"The iBaby M6 has a web service issue that allows easy access to other people's camera details by changing the serial number in a URL string. By abusing this access, filenames of a camera's recorded video clips (automatically created from a motion or noise alert) can be harvested. Through a simple script, an attacker could potentially gain access to every recorded clip for every registered camera across the entire service."

And in another case:

"The Summer Infant Baby Zoom web service contains an issue where the method of adding an authorized viewer to the camera does not require any password or secret key for access to the feed. This means that by iterating through a user identifier on a URL, an attacker can add an e-mail address of their choice to every single camera and login at will to view the stream of any camera of their choosing."

"This is not an exhaustive list," said the report. "We believe other baby monitors may be impacted by the security weaknesses, design flaws, or vulnerabilities identified through the course of this research."

Attacking baby monitors may seem scary -- creepy, at very least -- but the research backs up a slew of existing reports that show an emerging set of threats against IoT devices, in which devices have not had security put front of mind.

While the focus was on hacking baby monitors, the researchers said the wider picture was looking at other IoT-connected devices, which are increasingly connected to business networks.

"Individual web services vulnerabilities could impact numerous devices from the same vendor and their resolution could, in many cases, be implemented seamlessly and without user intervention," said the paper.

"If those key personnel are operating IoT devices on networks that are routinely exposed to business assets, a compromise on an otherwise relatively low-value target -- like the video baby monitors covered in this paper -- can quickly provide a path to compromise of the larger, nominally external, organizational network," said the report.

Rapid7 said it's unaware of these issues being actively abused at the time of publication. The company privately reported the vulnerabilities to the companies in early July.

Editorial standards