Originally published in the ISSA Journal
A mother was awoken on hearing a strange voice shouting “wake up baby.” Looking around, there was nobody in the house, but she was using a baby monitor that streamed video of her sleeping baby to her cellphone. On investigation she found that someone had hacked into her baby monitor, was watching her baby sleeping and was trying to wake the baby by shouting through the monitor to “wake up!” This is a chilling story and one which every parent would find frightening.
The advent of the Internet brought with it new ways in which cybercrime could be committed. We have seen this borne out by the increasing number of web-based threats and the exposure that email has brought with it—phishing being one of the most successful vectors for malware infection and data exfiltration. The Internet of Things (IoT), whereby the most domestic of devices like a fridge or a baby monitor is web enabled, is now taking these threat levels to a new extreme; and the worry is that the manufacturers of IoT devices are not keeping up with the threat potential.
The problem stems from the speed at which IoT has swept upon the technology landscape. IoT devices are often connected up to web applications like email accounts, Google calendars, and other data-rich applications. Cybercriminals are after the data, not the device; the device is simply the conduit. McAfee and Intel predicted that by 2020 there would be 31 billion IoT devices worldwide, and they are now saying this is an underestimate. This opens up a massive exploit base for cybercrime, making security by design an integral part of IoT devices.
Protecting our infants
One of the areas where we are seeing IoT device innovation is in the field of parenting. There is a small explosion of devices that are now connected to other devices such as mobile phones and via the Internet that are designed to help in “bringing up baby.” Health apps are a critical focus area. Devices such as the Pacif-I, which tracks your baby’s body temperature through a pacifier connected to a mobile app, is a typical example. The already mentioned video baby monitor lets you connect to a camera through a mobile app to monitor your sleeping baby. There are even baby onesies that monitor your baby’s temperature, sleeping position, and breathing patterns and send the data to a mobile app.
This is creating large quantities of highly personal information about your baby. It is our duty as parents and as a society to protect them and prevent exposure of their personally identifying information.
There are significant concern regarding the security of the devices we are using to try and monitor and protect our children. Here are three areas that make these monitors insecure:
Poor implementation of Internet security protocols.
VTech just announced that a database including names, birth dates, and genders of 5 million customers and their children was stolen by hackers. However, this isn’t an area just confined to baby monitor vulnerabilities; other IoT devices like the Samsung smart fridge have been found to have serious flaws because of poorly implemented Internet security protocols (i.e., SSL/TSL), allowing cybercriminals to steal login credentials and data. Regarding a video monitor, a cybercriminal could exploit this vulnerability, potentially accessing unencrypted streamed video, or steal authentication credentials, which could then be used to login and take control of the device.
Often baby monitors (and other IoT devices) have factory set default usernames and passwords so, for example, you can login and control the device using username “Admin” and password “Admin.” These are, of course, guessable, and brute force attacks can then give a hacker access to the device. In the case of a baby monitor, for example, the cybercriminal could add new accounts to the device creating their own “baby show”—horrifying stuff.
Any system that allows new users to be added without an authentication check at the time of account creation is highly vulnerable to abuse. Certain baby monitors have been shown to allow new users to be added without asking for a password or other authentication credential. Hackers can simply add new users, at will, to any of the vulnerable systems using a very simple URL hack.
Forcing the Web to grow up
This level of security vulnerability is extremely alarming. The rush to get Internet-enabled devices out to market seems to have come at the cost of security and privacy. The protection of our privacy and personal data is one thing, but the thought of our most precious little people being exploited in this way is a step too far. The Internet of Things has opened up some innovative ways in which to keep our children safe, but more thought and work needs to go into making sure those safety nets are safe.