In a classic case of unintended consequences, manufacturers of today's video and audio baby monitors are wishing they had thought a bit more about the security and privacy afforded to their products. Researchers at Rapid 7, a U.S. security firm, focusing on security implications of products which fall under the rubric of "internet of things" (IoT) have discovered a great many security issues with the baby monitors on the market today.
Rapid 7's research shows that the manufacturers went to market with a product which clearly function as advertised, but did not have security designed into the product. The researchers identified seven monitors by manufacturer and model.
If you own one of the identified devices, contact the manufacturer and query when and in what manner will they be closing the identified security vulnerabilities. Should you be in the market for a baby monitor, you may wish to note the models which were compromised and determine if the level of compromise affects your use case or not. Bottom line, check reviews and research what the security community says about the security and privacy of that particular baby monitor.
Devices which are affected:
• Gyonii (GCW-1010) - $89.34 -- Backdoor Credentials.
• iBaby (M3S) - $169.95 - Backdoor Credentials.
• iBaby (M6) - $199.95 - Predictable public information leak.
• Lens (LL-BC01W) - $54.99 - Backdoor Credentials.
• Philips (B120/37) - $77.54 - Backdoor Credentials, Reflective and Stored XSS, and Direct Browsing via Insecure Streaming.
• Summer (28630) - $199.99 - Authentication Bypass and Privilege Escalation
• TRENDnet (TV-IP743SIC) - $69.99 - Backdoor Credentials.
The researchers went on to warn that a significant percentage of models not reviewed probably contain the same types of weaknesses.
This article by Christopher Burgess is crossposted from Senior Online Safety with permission.