Baby monitors are a lot smarter than they used to be. The devices began as little more than two-way audio and video feeds, but more recent models come with sophisticated web services, including app access and remote viewing. But as manufacturers add new features, a new report shows that their security may not be keeping pace.
The report, by Mark Stanislav and Tod Beardsley of security analytics provider Rapid7, focuses on the security of retail video baby monitors. Stanislav and Beardsley analysed nine cameras from eight different vendors, including Philips, Summer and iBaby, and assigned them A-F letter grades after assessing the security of their mobile applications, device firmware and web services. Each device was then rated on a 250-point scale for overall security. "Do they encrypt web service API calls? When the camera authenticates the service, is that encrypted? Deduct points if not," said Stanislav, explaining the scoring system.
Eight of the nine cameras received a failing grade
The results were abysmal. Eight of the nine cameras received a failing F, while the other received a D. The security failures included a number of known vulnerabilities, including transmitting video and sending data to servers without encryption. Many of the connected devices also had built-in passwords that could be guessed (or worse, published) by the attacker, a long-standing concern in embedded devices.
Rapid7 researchers also discovered a number of new vulnerabilities, including one that could let attackers access the video feed to the Summer Baby Zoom WiFi Monitor. The camera includes a web access feature, which lets remote users (relatives in another state, for instance) watch the video feed remotely, as long as they've been authenticated through a URL sent via email. But triggering that email is easier than it should be. According to Stanislav, the web service doesn't provide any sort of secure token, so an attacker could easily fake a remote access request if they wanted to watch the video remotely. From there, a separate privilege escalation bug could be exploited to give them administrator access over the device.
A similar bug popped up in two Philips In.Sight models. The monitor lets users tap into the camera's stream through the Philips app, but in order to show that stream, the camera hosts it on a public address. If someone scanned the limited number of addresses where those feeds are hosted, they could easily see which cameras are actively being watchedand tap directly into those video feeds. There aren't any any restrictions on who can access the stream, and once an attacker has broken in, they can keep the feed open even after the user has closed the app.
Fortunately for In.Sight customers, Philips is expected to patch the bug later this week. "Whilst the security vulnerabilities are a concern and are being addressed, at this time we are not aware of any consumers who have been directly affected by this issue," the company said in a statement. No other vendors reported a forthcoming patch, although Rapid7 disclosed the bugs in early July.
Many processors don't have the ability to support live video encryption data
Many of the vulnerabilities have to do with service architecture rather than the devices themselves, so in theory, they should be simple to patch. Unfortunately, most monitor companies are still getting used to the demanding world of vulnerability disclosure. As the report puts it, "the absence of a fast, reliable, and safe patch pipeline is a serious and ongoing deployment failure for the IoT [internet of things]." Unencrypted video streams are particularly tricky since processors in many cameras simply don't have the ability to support live video encryption data, making the devices insecure by design.
Many of the attack vectors described in the report will be difficult to stop entirely. As baby monitors have gotten more web-friendly, they've also grown more dependent on manufacturers' remote servers, often run by a third party. If any link in the chain is breached, every camera using the service will be vulnerable. It's a powerful line of attack, and hard to block off without keeping the devices off the web entirely. "Your camera could be behind eight firewalls," says Stanislav, "but as long as it's connecting to the internet, it's at risk."