Oh Baby - The IoT and Security

February 22, 2016

Originally published in the ISSA Journal

A mother was awoken on hearing a strange voice shouting “wake up baby.” Looking around, there was nobody in the house, but she was using a baby monitor that streamed video of her sleeping baby to her cell­phone. On investigation she found that someone had hacked into her baby mon­itor, was watching her baby sleeping and was trying to wake the baby by shouting through the monitor to “wake up!” This is a chilling story and one which every parent would find frightening.

The advent of the Internet brought with it new ways in which cybercrime could be committed. We have seen this borne out by the increasing number of web-based threats and the exposure that email has brought with it—phishing being one of the most successful vec­tors for malware infection and data ex­filtration. The Internet of Things (IoT), whereby the most domestic of devices like a fridge or a baby monitor is web en­abled, is now taking these threat levels to a new extreme; and the worry is that the manufacturers of IoT devices are not keeping up with the threat potential.

Applicatoin Security Testing and Validatoin Webinar

The problem stems from the speed at which IoT has swept upon the technolo­gy landscape. IoT devices are often con­nected up to web applications like email accounts, Google calendars, and other data-rich applications. Cybercriminals are after the data, not the device; the de­vice is simply the conduit. McAfee and Intel predicted that by 2020 there would be 31 billion IoT devices worldwide, and they are now saying this is an underes­timate. This opens up a massive exploit base for cybercrime, making security by design an integral part of IoT devices.


Protecting our infants

One of the areas where we are seeing IoT device innovation is in the field of parenting. There is a small explosion of devices that are now connected to other devices such as mobile phones and via the Internet that are designed to help in “bringing up baby.” Health apps are a critical focus area. Devices such as the Pacif-I, which tracks your baby’s body temperature through a pacifier connect­ed to a mobile app, is a typical example. The already mentioned video baby mon­itor lets you connect to a camera through a mobile app to monitor your sleeping baby. There are even baby onesies that monitor your baby’s temperature, sleep­ing position, and breathing patterns and send the data to a mobile app.

This is creating large quantities of highly personal information about your baby. It is our duty as parents and as a society to protect them and prevent exposure of their personally identifying information.

There are significant concern regarding the security of the devices we are using to try and monitor and protect our chil­dren. Here are three areas that make these monitors insecure:

Poor implementation of Internet secu­rity protocols.
VTech just announced that a database including names, birth dates, and genders of 5 million cus­tomers and their children was stolen by hackers. However, this isn’t an area just confined to baby monitor vulnerabili­ties; other IoT devices like the Samsung smart fridge have been found to have serious flaws because of poorly imple­mented Internet security protocols (i.e., SSL/TSL), allowing cybercriminals to steal login credentials and data. Regard­ing a video monitor, a cybercriminal could exploit this vulnerability, poten­tially accessing unencrypted streamed video, or steal authentication creden­tials, which could then be used to login and take control of the device.

Back-door accounts.
Often baby moni­tors (and other IoT devices) have factory set default usernames and passwords so, for example, you can login and control the device using user­name “Admin” and password “Admin.” These are, of course, guessable, and brute force attacks can then give a hacker access to the device. In the case of a baby monitor, for exam­ple, the cybercriminal could add new accounts to the device creating their own “baby show”—horrifying stuff.

Authentication bypasses.
Any system that allows new users to be added with­out an authentication check at the time of account creation is highly vulnerable to abuse. Certain baby monitors have been shown to allow new users to be added without asking for a password or other authentication credential. Hackers can simply add new users, at will, to any of the vulnerable systems using a very simple URL hack.


Forcing the Web to grow up

This level of security vulnerability is extremely alarming. The rush to get Internet-enabled devices out to market seems to have come at the cost of secu­rity and privacy. The protection of our privacy and personal data is one thing, but the thought of our most precious little people being exploited in this way is a step too far. The Internet of Things has opened up some innovative ways in which to keep our children safe, but more thought and work needs to go into making sure those safety nets are safe.

Previous Article
What You Need to Know About HITRUST's Cyber Threat Xchange Report
What You Need to Know About HITRUST's Cyber Threat Xchange Report

The Health Information Trust Alliance (HITRUST) performed a thorough review of the healthcare industry’s le...

Next Article
Privacy in 2015: The Year in Review
Privacy in 2015: The Year in Review

The ball fell, the confetti was thrown, and that Auld Lang Syne rung in another year.  2016 is officially h...