Researchers Warn of Hackable Baby Monitor

Security researchers have concluded that a Chinese-made baby monitor sold on Amazon is riddled with vulnerabilities, confirming a mother’s suspicion that her device had been hacked to spy on her infant.

SEC Consult said the FREDI-branded device, which is designed to look like a puppy, is most likely the work of an OEM called Shenzhen Gwelltimes Technology Co., Ltd.

The device has a P2P cloud feature which allows supported smartphone and desktop apps to connect to it via the cloud, making it easy for users to interact with it without needing to be on the same network. There are also no firewall rules, port forwarding rules or DDNS setup, SEC Consult claimed.

“On the back of the device there is an ID Code and a password (ID: 11610289, password: 123). In the supported app (e.g. YYP2P) there is an ‘Add online device’ function that allows you to add the device,” the researchers explained.

“Unfortunately the device ID does not look very secure. Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by ‘trying’ different cloud IDs.”

SEC Consult claimed that researchers have already successfully proven how to hack a P2P cloud system in a demo last year “that starts with scanning for valid device IDs, brute forcing passwords and then exploiting missing firmware update integrity/authenticity checks to gain remote code execution and persistence on the device.”

Hackers could not only do this to spy on users but also to gain entry into their private home networks, it said. There are also question marks about the unknown cloud server operator, which in this set-up receives all the video feeds.

The research confirms the suspicions of a South Carolina mother who earlier this month was widely reported as claiming her baby monitor had been hacked to spy on her and her baby.

“In the South Carolina case the most likely scenario is that someone is scanning for valid device IDs with insecure/default passwords and then spies on the owners of the device, possibly based on the information released by Security Research Labs in November 2017,” concluded SEC Consult.

“It seems that consumer electronics with opaque supply chains, paired with insecure, built-in cloud features that are enabled by default will keep us busy in the future.”

What’s Hot on Infosecurity Magazine?