SEC Consult says it found flaws in the Fredi Wi-Fi baby monitor that would allow an outside attacker to remotely connect to the device and use its built in camera without authentication.
According to the researchers, the monitors use poor security practices when connecting to the online portal that allows parents to view the monitors on either their laptops or mobile devices. This leaves them prone to be hijacked by hackers who could then use the cameras to spy on people.
Such was the case with Jamie Schmidt, a mother from South Carolina who complained that her monitor's camera was panning the room on its own and, after she discovered the activity, locked her out from the control panel.
""It makes me kind of sick to think what kind of stuff the person may have seen and still could be out there," Schmidt said.
"I'm supposed to protect my son and I feel like I failed him."
The security shop's researchers decided to look into the matter, and they found that the P2P service connects directly to the cloud and can be accessed with no more than an 8-digit device number and a shared default password. In other words, someone could go to the online portal and enter random numbers with the default password to pull up camera feeds.
"Unfortunately the device ID does not look very secure," the researchers wrote.
"Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by 'trying' different cloud IDs."
In addition to being creepy as hell, SEC Consult notes that the insecure monitors are also providing a wide open door to their owners' home networks to invite further attacks.
"The 'P2P Cloud' feature bypasses firewalls and effectively allows remote connections into private networks. Now attackers can not only attack devices that have been intentionally/unintentionally exposed to the web (classic “Shodan hacking” or the Mirai approach) but a large number of devices that are exposed via the 'P2P Cloud'."
The researchers also note that this does not appear to be an isolated incident. The Chinese company that provided the firmware for the Fredi monitor makes generic camera control apps for a number of devices, and its insecure portal is likely used on other appliances.
"It seems that consumer electronics with opaque supply chains, paired with insecure, built-in cloud features that are enabled by default will keep us busy in the future," they write.
Users are advised to use some basic practices like immediately changing default passwords and keeping an eye out for suspicious hardware activity and network traffic. ®