back to article Don't panic, but your baby monitor can be hacked into a spycam

Security researchers say they can back up a mother's claim that her baby monitor had been remotely hacked and used to spy on her family. SEC Consult says it found flaws in the Fredi Wi-Fi baby monitor that would allow an outside attacker to remotely connect to the device and use its built in camera without authentication. The …

  1. Waseem Alkurdi Silver badge

    More insecure IoT, now more creepy!

    Pfft. Isn't there a liability for makers of this stuff?

    1. Kev99 Bronze badge

      Re: More insecure IoT, now more creepy!

      No. You can't protect against stupidity.

    2. razorfishsl

      Re: More insecure IoT, now more creepy!

      Over in HK & China it works like this:

      You get hired.

      You know almost fuck all about programming, but you are good at talking.

      you get onto git hub or stack overflow for C&P your code, but most important you throw up a few screens for the MD to look at and you bullshit.

      most of these guys would not know security if it bit them on the ass, i do work for a company where thier "programmer" built a whole business system that is just screens, no code written just "under construction" but it does have great graphics.

      Language handling is done by having (screen * number of languages) and most of the code so far is just patch on patch on patch.

      But MD's don't want to know, becasue they see the money going out to pay you.. but don't see the results... unlike the over paid guy who can throw up a screen in 30 min.

      if a security guy does his job , then there is "nothing to see"

      How do you justify a salary if there are no "measurable results"?

    3. John Brown (no body) Silver badge

      Re: More insecure IoT, now more creepy!

      "Pfft. Isn't there a liability for makers of this stuff?"

      The article says it's got a default standard password. The user should have changed that. There may be other vulnerabilities, but in this case it seems to be the users fault for not setting up their own password.

      1. Waseem Alkurdi Silver badge

        Re: More insecure IoT, now more creepy!

        The article says it's got a default standard password. The user should have changed that. There may be other vulnerabilities, but in this case it seems to be the users fault for not setting up their own password.

        This exactly is the problem. The unit shouldn't have a default password but no password and should not be operable unless the user sets one upon first boot.

  2. Anonymous Coward
    Anonymous Coward

    These cameras also pan the room during initialisation after reboot because of a crash so would be hard to differentiate between that and it having been hacked.

  3. Teiwaz Silver badge

    Don't panic, but.....

    Seeing that phrase in headlines a lot recently, perhaps it's just a meme, but since we are seeing it a lot, perhaps panic is well past due.

    I know I experience significant culture shock when I notice not just the 'we don't give a shit as long as we get your money' IOT attitude, but the mindless buy-in that only encourages them.

    I know I'm most certainly a prime example of a 'culture of one', but all the same....

  4. Zog_but_not_the_first Silver badge
    Holmes

    See icon

    See title

  5. This post has been deleted by its author

    1. Phil O'Sophical Silver badge

      No as easy as that

      The first question is why a password is required. If it's so the user can log in remotely and control/access the device then giving them a random password is pointless. They'll get so fed up not being able to remember it that they'll change it to be Password1.

      What they really need is some better password-less authentication system, perhaps a way to securely link an app & the device at install time. That, unfortunately, costs more money to develop, especially to make it both secure & sufficiently simple for a non-technical user to setup. If it's too complex we'll just see Amazon comments along the lines of "Too hard to set up, returned and bought XXX instead", where XXX is the model that allows you to enter "Password1".

      It's cheap consumer tat, and very difficult to get past the "leave the key under the mat, no-one will look there" mindset.

    2. DropBear Silver badge

      No need. Just force the user to change/choose the password as the first thing you do before anything else the first time you try to access the thing.

      1. Charles 9 Silver badge

        And then they just use "12345" due to poor memory and we're back to square one. And there are no alternatives that can work with things like smartphones that wouldn't themselves be targets for hacks or theft.

        IOW, if the user demands unicorns or else, how do you win?

  6. Mage Silver badge

    Deja Vue

    It's not the first.

    Is ANYTHING controlled by an App bad?

    Email and Browser are not terrifically safe, but unlike coffee makers, locks, thermostats, baby monitors etc they actually need the Internet.

  7. terrythetech
    WTF?

    Basic practices!?

    "Users are advised to use some basic practices like immediately changing default passwords and keeping an eye out for suspicious hardware activity and network traffic."

    'basic practices' and 'network traffic' in the same sentence

    How is your average punter going to have any idea about what suspicious network traffic is or how to keep an eye out for it!?

    1. Wellyboot Silver badge

      Re: Basic practices!?

      It's a pity that for most users this list applies;

      Networks? what's that? I've just got a wifi box that gives me the internet

      Can't see I'm being spied on 'now' so it isn't happening

      Can't do deductive reasoning

      Don't see the 'change password' messages

      Don't understand something so it's magically perfect and/or trivial

      Security is always beaten by Convenience

  8. King Jack
    Headmaster

    The only reason I would use a baby monitor is if my child was really ill. I mean with wires monitoring heart rate or on a drip for medicine. Or if I lived in a mansion with 40 rooms where the nursery was in the upper west wing. As none of the above applies then letting a child that needs attention call out (cry) is good. It develops the lungs and teaches Jr patience as the parent dosn't appear every time it farts. I used to love technology but now i'm an old fart I fail to the reason for most of its existence unless the aim is to give your privacy away for free.

    1. Symon Silver badge
      Childcatcher

      I would also use one if I was at a tapas party in southern Portugal with my doctor friends.

      Too soon?

      1. PATSYQB

        Not just too soon, but just plain offensive. I assume that this comment got through because the mods were too stupid or lazy to read it. In future, if you're not sure that your comment is acceptable, play it safe and keep your stupid mouth shut. Have a downvote from me, arsehole.

        1. Anonymous Coward
          Anonymous Coward

          The "mods" don't read every post here - it's not their job, so next time, before you accuse them of being stupid or lazy, play it safe and keep your stupid mouth shut.

    2. John Brown (no body) Silver badge
      Windows

      "The only reason I would use a baby monitor..."

      And why does it need remote, "cloud" access? If you need that you don't trust the baby sitter (bad), or you left the kid alone (more bad!)

    3. Anonymous Coward
      Anonymous Coward

      "As none of the above applies then letting a child that needs attention call out (cry) is good. It develops the lungs and teaches Jr patience as the parent dosn't appear every time it farts."

      Ever thought Jr. lacks the mental capacity for patience, that very young children are basically acting on instinct, and that a house doesn't have to be so big (just very noisy, say one with other kids) to mask a baby's cry even from a not-so-considerable distance? Not to mention the potential calls for parental neglect? Thus the infamous meme that a baby means sleepless nights?

  9. Steve Davies 3 Silver badge
    Facepalm

    Do we really need more evidence that...

    pretty well anything like this is a security nightmare.

    IoT to me means that anyone installing it is either and Idiot or a total Twat.

    If you aren't able to check the security of a device then don't install the effing thing.... It ain't rocket science it is?

    As for those IoT front door locks, what thief needs a better invite to rob your place as it will certainly be full of other electronic goodies...

    [see icon]

    1. Charles 9 Silver badge

      Re: Do we really need more evidence that...

      "If you aren't able to check the security of a device then don't install the effing thing.... It ain't rocket science it is?"

      To Joe Stupid, IT IS. That's what IT often overlooks to their detriment. We need a solution for people who demand unicorns or else, think The Internet is their Web browser, and can't remember a password to save their lives.

      1. John Brown (no body) Silver badge
        Joke

        Re: Do we really need more evidence that...

        "To Joe Stupid, IT IS. That's what IT often overlooks to their detriment. We need a solution for people who demand unicorns or else, think The Internet is their Web browser, and can't remember a password to save their lives."

        Easy, just tie every IoT device to their Facebook account. Sorted!

  10. Dan 55 Silver badge

    Why would this need a mothership?

    It's not as if you're going to leave the house. It can all be done on the LAN.

    1. HellDeskJockey

      Re: Why would this need a mothership?

      Good point I like my IOT stuff but I keep it local. Also you need to be careful how you communicate. My electronic deadbolts do not communicate wirelessly. I could upgrade to some but why would I add a security hole. Though with my house a good foot would do the trick. When thinking about IOT be sure to look at how they communicate.

  11. Will Godfrey Silver badge
    Unhappy

    It's not all bad

    I'm sure the spooks think it's great.

    /s

    1. AGOO

      Re: It's not all bad

      Was there ever a secure baby monitor? The older RF types were blasting out everything in the clear anyway. The last thing someone should want to do is listen to a baby screaming or hear a parent throwing up after being crapped on at three in the morning.

  12. ShortLegs

    Its received glowing reviews on the web, and not one of the half dozen I have skimmed recommends changing the default password from 8888 to something even remotely "secure"....

    As one poster above alluded to, IoT stands for "Idiot or Twat".

  13. Kev99 Bronze badge

    Old news. Nothing new here. Move along.

  14. Shadow Systems Silver badge

    This makes me want to buy one!

    Knowing it's about as secure as Adobe Flash means I can count on it getting hacked within moments of connecting it to the internet.

    Which means script kiddies will find it, hack it, & soon be exposed to the live feed from the camera & mics...

    Which I will have "accidentally" connected to the Vogon porn broadcast!

    *Ominous maniacal laughter*

    I'm not evil, I'm "Creatively Vindictive", there's a difference. =-D

  15. a_yank_lurker Silver badge

    Idiocy of Toys

    These devices are sold to people with the implication that security is properly taken care of. Even knowing to change the password by the more aware does not mean they have necessarily properly secured the device. To make matters worse, the typical set up of these devices is done by a simple wizard which implies you are finished securing once the wizard finishes.

    This is compounded by the fact that most people view networks, microwaves, computers, etc. as black boxes with varying levels of complexity. They do not really understand how their coffee maker works so expecting them be an expert on computer network security is idiotic in the extreme.

  16. Anonymous Coward
    Anonymous Coward

    NEWS ROUNDUP JULY 2021

    BRISTOL NEWS

    TECHNOLOGY PUZZLES

    A reader has contacted this paper, incensed about a recent purchase of a security camera system. The set up procedure required the reader to create a new account in "the cloud" in order to set up the cameras. When the user went away on holiday, they logged in to the camera account and were surprised to see the inside of some else's house.

    When they got back home, they discovered that they had been burgled.

    More puzzling was the complete lack of any sign of forced entry. Further inquiries with Amazon revealed that the burglar had gained entry by shouting though the letter box "Alexa, open the front door" and subsequently "Alexa, open the garage door". The burglar used the empty garage, which had access directly into the house, to load up a box van with stolen property. Unfortunately, the security camera vendor cannot trace the video which actually came from the house at the time of the burglary.

    The insurance company refused our reader's claim, saying that the security system was defective. The warehouse vendor and the security system manufacturer both refused to provide even a refund. An Amazon spokesperson told this paper "No comment".

  17. GnuTzu Bronze badge
    Stop

    Never

    Wouldn't this garbage if I was running full IPS and 24-hour scans on my local network. If you're product creates a tunnel of any kind into my network, I am not buying.

    1. ds6 Bronze badge
      Go

      Always

      Congratz, nearly every modern laptop, router, IoT device, car, toaster, and even your nan's toothbrush are connected to the internet and shout at the nearest master server not only that they exist, but where they are, who you are, your dog's name, and the shape of your left gonad.

      The more advanced models allow you and anyone else to remotely access anything for your and their convenience, because this is what you and they want, we and they are sure of it! See: Windows RDP which is enabled by default on most models, Swiss cheese router admin panels, cameras of the baby variety or otherwise, cars with a giant phablet plonked right in the dash that automatically connects to any nearby bluetooth device, or otherwise anything even partially cloudy.

      There is no escape. Embrace the Intimacy of Telemetry.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019