Monday, November 28

Millions of baby monitors, easy to hack security cameras

We really, really need to stop buying cheap security cameras. The latest chapter in this ongoing saga is a good example.

(Image credit: Billion Photos / Shutterstock)

You may recall that a few weeks ago, South Carolina mother Jamie Summitt discovered what she believed to be a hacker spying on her and her baby, using her $ 34 FREDI wireless baby monitor.

In a new report, the information security company SEC Consult details a vulnerability the snooper could have exploited. If SEC Consult is correct, many other baby monitors, security cameras, and webcams from the same manufacturer (hint: not FREDI) could be vulnerable to the same attack.

To protect yourself, you should always change the password for one of these devices, as soon as it comes out of the box. If there is no password or you cannot change it, discard it and buy something better.

MORE: Best Wireless Home Security Camera

The Summitt FREDI Baby Monitor, like many inexpensive consumer monitoring products, uses a cloud-based remote control system (known as “P2P cloud function”) to transmit data between a device and its user.

FREDI is just one of the many brands affixed to the devices. Other brands include HiKam, Sricam, HKVStar, and Digoo, according to research presented in November by Security Research Labs in Germany.

SEC Consult says that the actual manufacturer is a company called Shenzen Gwelltimes Technology Co. Ltd., and that all cameras instruct buyers to use the Yoosee smartphone app (for Android and iOS) to access camera images. Security Research Labs was able to collect evidence from nearly a million vulnerable devices online, probably just a fraction of the actual number.

See also  The Pokémon toothbrushing app just got its first update

In essence, all the data that one of these cameras collects is stored on the manufacturer’s cloud server and travels from the camera to the server and then back to the user’s smartphone. This means that a criminal does not need to be connected to your private network to spy on you. If someone can intercept your connection, from anywhere in the world, they can access all the data on your camera.

(Image credit: SEC Consult)

How does the attacker intercept your connection? Many of the models in question have device-specific identification numbers, but they share a common default password that is not entirely secure. (As you can see in the photo above, a model’s password was literally “123”). The idea is that owners can connect their device to the application on their phone by entering the ID number and password.

You can probably see where this is going: If suspicious figures have the shared device password, they can try different combinations of device IDs until they have connected an unknown stranger’s camera to their phone.

But that is not all. Gwelltimes devices also have sequential IDs, so once a hacker finds a device’s ID number on the internet, it’s much easier to find the next device ID.

So what can you do? If you own a device like this, and if you are using the YooSee app, you probably do, then you should always change your default password to something secure. That said, this may not always be enough: Summitt said ABC News You changed your monitor password when you first received it, and some devices have weak protections that allow hackers to bypass passwords.

See also  Premiere PlayStation games on PS Plus? Phil Spencer thinks it will happen | LevelUp

The most reliable way to keep snoopers out is to stop buying cheap security devices. Cameras like $ 200 Netgear Baby Ring They are expensive, but they come with software that is frequently updated to address vulnerabilities and applications that are more difficult to crack.

  • The best (and worst) protection against identity theft
  • The best apps to monitor kids’ phone use
  • Know where your kids are with these GPS trackers

Leave a Reply

Your email address will not be published. Required fields are marked *