Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha

Advertisement 

×

Message

EU e-Privacy Directive

This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.

View e-Privacy Directive Documents

You have declined cookies. This decision can be reversed.

Be aware that baby monitors can be hacked into a spycam

Written by  Sam Leigh Jun 22, 2018

Security researchers say they can back up a mother's claim that her baby monitor had been remotely hacked and used to spy on her family.

SEC Consult says it found flaws in the Fredi Wi-Fi baby monitor that would allow an outside attacker to remotely connect to the device and use its built in camera without authentication.

Advertisement 

According to the researchers, the monitors use poor security practices when connecting to the online portal that allows parents to view the monitors on either their laptops or mobile devices. This leaves them prone to be hijacked by hackers who could then use the cameras to spy on people.

Such was the case with Jamie Schmidt, a mother from South Carolina who complained that her monitor's camera was panning the room on its own and, after she discovered the activity, locked her out from the control panel.

""It makes me kind of sick to think what kind of stuff the person may have seen and still could be out there," Schmidt said.

"I'm supposed to protect my son and I feel like I failed him."

The security shop's researchers decided to look into the matter, and they found that the P2P service connects directly to the cloud and can be accessed with no more than an 8-digit device number and a shared default password. In other words, someone could go to the online portal and enter random numbers with the default password to pull up camera feeds.

"Unfortunately the device ID does not look very secure," the researchers wrote.

"Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by 'trying' different cloud IDs."

In addition to being creepy as hell, SEC Consult notes that the insecure monitors are also providing a wide open door to their owners' home networks to invite further attacks.

"The 'P2P Cloud' feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the 'P2P Cloud'."

Advertisement 

The researchers also note that this does not appear to be an isolated incident. The Chinese company that provided the firmware for the Fredi monitor makes generic camera control apps for a number of devices, and its insecure portal is likely used on other appliances.

"It seems that consumer electronics with opaque supply chains, paired with insecure, built-in cloud features that are enabled by default will keep us busy in the future," they write.

Users are advised to use some basic practices like immediately changing default passwords and keeping an eye out for suspicious hardware activity and network traffic. ®

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Top News

Latest

How to hide your Instagram online status

Jul 21, 2018 Cyber Advice

How to hide your Instagram online status

Instagram is more like Facebook Messenger now, thanks to a new “Show Activity Status” option that's just rolled out. ...

Advertisement 

  1. Popular
  2. Trending
  3. Comments

Calendar

« November 2017 »
Mon Tue Wed Thu Fri Sat Sun
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30      

Advertisement 

Advertisement