Pierluigi Paganini September 03, 2015

Researchers find major security flaws in popular networked video baby monitor products that could allow attackers to snoop on babies and businesses.

Rapid7 analyzed baby monitors from six vendors, ranging in price from $55 to $260 in order to assess their security. The list of baby monitor analyzed includes the Philips In.Sight B120/37, the iBaby M3S and M6 models, the Summer Infant Baby Zoom,TrendNet Wi-Fi Baby Cam, the Lens Peek-a-View and a Gynoii device.

“I really wanted to figure out if cameras of a higher price [range] were more secure or less secure,” he explained.

Security experts at Rapid7 have discovered a number of security flaws affecting eight different video baby monitors that represent a serious threat to the privacy of the families. Baby monitors are smart devices always online equipped with a camera and a microphone, all the necessary to spy on the surrounding environment.

The researchers have discovered numerous security issues, such as hardcoded backdoor credentials, a privilege escalation bug in one of the baby monitors, an authentication bypass flaw in another, a direct browsing flaw in another, an information leakage flaw in another, and a reflective, stored cross-site scripting (XSS) bug in another.

Baby Monitors are a privileged target for hackers, they are considered secure and harmful devices by families that completely ignore the risks of a cyber attack. These devices, such as many other, could become the entry point in domestic environments.

“It’s a safety device that seems innocuous and friendly,” explained Stanislav. 

The researchers from Rapid7 hasn’t discovered evidence of mass exploitation of the baby monitors, despite none of them had been already fixed.

The Philips Electronics audio/video In.Sight Wireless HD Baby Monitor B120E/37 was affected by three of the vulnerabilities,  hardcoded credentials, reflective and stored XSS in the cloud-based Web service, and a flaw in the remote viewing feature.

The attacker can exploit the flaws to access the device and open a video stream without authentication.

“It’s exposing the entire camera Web app server on the Net,” explained Stanislav. “If you connect to the device and you’re not the person who initiated the connection and is authorized to view it, you shouldn’t” be allowed to view it, he says. “The vuln is [that it’s] not requiring any authentication,” he says.

Philips promptly replied to the report by providing a timeline for patches, the company added that Philips device is now managed by Gibson Innovations. The patches are expected to release by September 4.

“As part of our responsible disclosure policy and processes, Philips has been in contact with both Gibson Innovations and the security research firm investigating this issue, to promptly and transparently address known and potential vulnerabilities in Philips products,” a Philips spokesperson said.

Another disconcerting aspect of the story is that it is very easy to discover baby monitors, and other IoT devices, online by using the Shodan search engine for internet-connected devices.

In the following table are reported the vulnerabilities discovered by the researchers:

The news is not surprising, technology is dramatically enlarging our attack surface, our home are full of IoT devices that could be easily exploited by attackers. Recently, security experts have uncovered a huge quantity of vulnerabilities in Smart TVs and Smart Fridges, it is quite normal with rapid diffusion of IoT devices that in many cases lack security by design.