If you were starting to think that all the talk about cyber security has been a bit overblown, think again.
In the Internet of Things — where everything has network connectivity — anything can be hacked that does not have proper security in place.
Even a baby monitor, evidently.
This doesn’t mean that we’ll never be secure; it just means we need to change our default mode of thinking from “assuming nothing can happen” to “assuming we need to secure each and every item”.
Article by Lisa Vaas in Naked Security.
Emphasis in red added by me.
Brian Wood, VP Marketing
Baby-monitor hacker spies on and swears at sleeping 2-year-old
A hacker took over a baby monitor in a home in the US city of Houston, Texas, to spy on a 2-year-old girl, to broadcast obscenities at the child, to swivel the camera so as to watch her shocked parents as they came in, and to then call the parents insulting names.
According to ABC News, Marc Gilbert and his wife, Lauren, heard the voice of a strange man with a British or European accent coming from the bedroom of their daughter, Allyson, on 10 August.
Marc Gilbert. Image courtesy of ABC news.As the parents approached the room, they heard the hacker call their daughter an “effing moron.”
The voice also told her to ”‘wake up, you little sl*t.”
When the Gilberts entered the room, the monitor’s camera swiveled toward them. The hacker then called Marc Gilbert a “stupid moron” and Lauren Gilbert a “b*tch”.
Marc Gilbert disconnected the monitor and tried to figure out what had happened, but he told ABC News that he couldn’t, of course, see the hacker – he could only hear the voice and see that the intruder was controlling the camera.
Gilbert told reporters that he believes the hacker hacked his router. The hacker also, apparently, hacked the camera, through which he could see Allyson’s name on the bedroom wall above her bed.
Fortunately, Allyson slept through the virtual invasion. She was born with a hearing impairment, and her cochlear implants were turned off at the time, Gilbert said, which was “something of a blessing”:
“If she had heard it it would have been a big problem.”
ABC News subsequently drove through a neighborhood with a baby monitor video receiver on the dashboard, picking up crystal-clear video feeds left and right.
First they found Dominic, playing with his toes in his crib. Next they viewed 14-month old Tally, sleeping in her crib.
They found a camera pointed at a bed in one neighborhood, and they viewed a woman making a bed in another.
Baby monitors open the home to invasions by creeps and, potentially, burglars in this manner because they’re on fixed frequencies, putting out a signal as long as the device is on.
Security experts say it’s best to turn the monitors off, but that seems rather counter to the purpose of having a monitor in the first place.
The wireless channels used by the devices can often be picked up outside the home, as demonstrated by ABC News when it scanned neighborhoods to see what it could pick up.
The vulnerability of these leaky systems was highlighted in 2009 when a US family in the state of Illinois sued the manufacturer of a baby monitor they purchased at toy retailer Toys R Us.
After a month of using the monitor, a neighbor warned the family that its camera was broadcasting its signal into their home, enabling the neighbors to hear entire conversations within the nursery.
Yahoo News, reporting in 2011, noted that newer baby monitors at the time featured frequency hopping technology to randomly change channels in an attempt to ensure privacy, but that older, less-secure versions were still to be found in stores.
Critics have accused Gilbert of bringing the hacking on himself by leaving his router unsecured, such as this commenter on ABC Local’s coverage:
“I’m certainly not condoning what happened, but it’s not hacking if you don’t bother to secure your router. It’s 2013. Learn to use your equipment or hire someone who does. It’s not really any different than plumbing or electric work.”
Gilbert responded that the router was password-protected, and the firewall was enabled. The IP camera was also password-protected, he said.
Of course, devices may well be protected by passwords, but default passwords that haven’t been changed are like having no password at all, as other commenters pointed out.
Video baby monitors can broadcast to TVs, hand-held receivers, or even over WiFi to PCs or smartphones.
That means you can keep an eye on your children from almost anywhere.
Unfortunately, it also means that others can, and do.
Be careful with these devices’ security. That starts with changing default passwords.
Those who can’t figure this out should ask for help from somebody with security expertise – somebody they trust with the safety of extremely precious things.