Your baby is as vulnerable to hackers as you are.
A new study from security firm Rapid7 has revealed that the baby-monitor industry is rife with easily exploited problems.
The widespread flaws represent yet another problem with the nascent and much-touted Internet of Things, the Web-connected ecosystem of everyday devices and appliances. Because of differing security standards, the IoT is rife with vulnerabilities. Hackers recently killed a Jeep’s engine while it was driving by remotely accessing its software, prompting a recall of 1.4 million cars.
Rapid7 said that all nine of the baby-monitor brands it tested had major security flaws. As is the case in other industries, the sophistication and effect of those flaws were varied.
iBaby Labs, which lets registered camera owners log into a website to view a live feed, also makes it easy for hackers to improperly access an account by letting them randomly guess its password an unlimited number of times, a technique known as brute-forcing.
Philips gave each of its In.Sight cameras the same default username and password, which meant that anyone could access a poorly configured camera just by knowing that information. Another company, Summer Infant, lets anyone with a camera’s ID number create an account for that camera—without even notifying the person who originally registered the device.
Rapid7 noted that it wasn’t aware of any particular large-scale effort to hack such devices, although some white-hat hackers have used the vulnerabilities to set up livestreams of multiple baby monitors to draw attention to the issue.
Of the nine major baby-monitor manufacturers, only one—Philips—acknowledged Rapid7’s findings and pledged to address them.