Hacking Baby Monitors is dramatically easy

Pierluigi Paganini September 03, 2015

Security researchers from Rapid7 security firm discovered a number of security vulnerabilities affecting several Video Baby Monitors.

Researchers find major security flaws in popular networked video baby monitor products that could allow attackers to snoop on babies and businesses.

Rapid7 analyzed baby monitors from six vendors, ranging in price from $55 to $260 in order to assess their security. The list of baby monitor analyzed includes the Philips In.Sight B120/37the iBaby M3S and M6 models, the Summer Infant Baby Zoom,TrendNet Wi-Fi Baby Cam, the Lens Peek-a-View and a Gynoii device.

“I really wanted to figure out if cameras of a higher price [range] were more secure or less secure,” he explained.

Security experts at Rapid7 have discovered a number of security flaws affecting eight different video baby monitors that represent a serious threat to the privacy of the families. Baby monitors are smart devices always online equipped with a camera and a microphone, all the necessary to spy on the surrounding environment.

The researchers have discovered numerous security issues, such as hardcoded backdoor credentials, a privilege escalation bug in one of the baby monitors, an authentication bypass flaw in another, a direct browsing flaw in another, an information leakage flaw in another, and a reflective, stored cross-site scripting (XSS) bug in another.

Baby Monitors are a privileged target for hackers, they are considered secure and harmful devices by families that completely ignore the risks of a cyber attack. These devices, such as many other, could become the entry point in domestic environments.

“It’s a safety device that seems innocuous and friendly,” explained Stanislav. 

The researchers from Rapid7 hasn’t discovered evidence of mass exploitation of the baby monitors, despite none of them had been already fixed.

The Philips Electronics audio/video In.Sight Wireless HD Baby Monitor B120E/37 was affected by three of the vulnerabilities,  hardcoded credentials, reflective and stored XSS in the cloud-based Web service, and a flaw in the remote viewing feature.

baby monitor philips

The attacker can exploit the flaws to access the device and open a video stream without authentication.

“It’s exposing the entire camera Web app server on the Net,” explained Stanislav. “If you connect to the device and you’re not the person who initiated the connection and is authorized to view it, you shouldn’t” be allowed to view it, he says. “The vuln is [that it’s] not requiring any authentication,” he says.

Philips promptly replied to the report by providing a timeline for patches, the company added that Philips device is now managed by Gibson Innovations. The patches are expected to release by September 4.

“As part of our responsible disclosure policy and processes, Philips has been in contact with both Gibson Innovations and the security research firm investigating this issue, to promptly and transparently address known and potential vulnerabilities in Philips products,” a Philips spokesperson said.

Another disconcerting aspect of the story is that it is very easy to discover baby monitors, and other IoT devices, online by using the Shodan search engine for internet-connected devices.

In the following table are reported the vulnerabilities discovered by the researchers:

CVE-2015-2886 Remote R7-2015-11.1 Predictable Information Leak iBaby M6
CVE-2015-2887 Local Net, Device R7-2015-11.2 Backdoor Credentials iBaby M3S
CVE-2015-2882 Local Net, Device R7-2015-12.1 Backdoor Credentials Philips In.Sight B120/37
CVE-2015-2883 Remote R7-2015-12.2 Reflective, Stored XSS Philips In.Sight B120/37
CVE-2015-2884 Remote R7-2015-12.3 Direct Browsing Philips In.Sight B120/37
CVE-2015-2888 Remote R7-2015-13.1 Authentication Bypass Summer Baby Zoom Wifi Monitor & Internet Viewing System
CVE-2015-2889 Remote R7-2015-13.2 Privilege Escalation Summer Baby Zoom Wifi Monitor & Internet Viewing System
CVE-2015-2885 Local Net, Device R7-2015-14 Backdoor Credentials Lens Peek-a-View
CVE-2015-2881 Local Net R7-2015-15 Backdoor Credentials Gynoii
CVE-2015-2880 Device R7-2015-16 Backdoor Credentials TRENDnet WiFi Baby Cam TV-IP743SIC

The news is not surprising, technology is dramatically enlarging our attack surface, our home are full of IoT devices that could be easily exploited by attackers. Recently, security experts have uncovered a huge quantity of vulnerabilities in Smart TVs and Smart Fridges, it is quite normal with rapid diffusion of IoT devices that in many cases lack security by design.

“A lot of the same [security] issues are in business-focused IoT,” says Mark Stanislav, senior security consultant at Rapid7, who spearheaded the new research. Seemingly benign networked devices such as nursery monitors could be used as a stepping-stone to other home network devices, namely a home worker’s business data and applications, he says.
I have found the research very interesting and I hope it could help non-technical individuals to understand the risks related to lack of security for IoT devices.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – baby monitors, IoT)

you might also like

leave a comment