Sophos Cloud Optix
A hacker took over a baby monitor in a home in the US city of Houston, Texas, to spy on a 2-year-old girl, to broadcast obscenities at the child, to swivel the camera so as to watch her shocked parents as they came in, and to then call the parents insulting names.
According to ABC News, Marc Gilbert and his wife, Lauren, heard the voice of a strange man with a British or European accent coming from the bedroom of their daughter, Allyson, on 10 August.
As the parents approached the room, they heard the hacker call their daughter an “effing moron.”
The voice also told her to ”‘wake up, you little sl*t.”
When the Gilberts entered the room, the monitor’s camera swiveled toward them. The hacker then called Marc Gilbert a “stupid moron” and Lauren Gilbert a “b*tch”.
Marc Gilbert disconnected the monitor and tried to figure out what had happened, but he told ABC News that he couldn’t, of course, see the hacker – he could only hear the voice and see that the intruder was controlling the camera.
Gilbert told reporters that he believes the hacker hacked his router. The hacker also, apparently, hacked the camera, through which he could see Allyson’s name on the bedroom wall above her bed.
Fortunately, Allyson slept through the virtual invasion. She was born with a hearing impairment, and her cochlear implants were turned off at the time, Gilbert said, which was “something of a blessing”:
“If she had heard it it would have been a big problem.”
ABC News subsequently drove through a neighborhood with a baby monitor video receiver on the dashboard, picking up crystal-clear video feeds left and right.
First they found Dominic, playing with his toes in his crib. Next they viewed 14-month old Tally, sleeping in her crib.
They found a camera pointed at a bed in one neighborhood, and they viewed a woman making a bed in another.
Baby monitors open the home to invasions by creeps and, potentially, burglars in this manner because they’re on fixed frequencies, putting out a signal as long as the device is on.
Security experts say it’s best to turn the monitors off, but that seems rather counter to the purpose of having a monitor in the first place.
The wireless channels used by the devices can often be picked up outside the home, as demonstrated by ABC News when it scanned neighborhoods to see what it could pick up.
The vulnerability of these leaky systems was highlighted in 2009 when a US family in the state of Illinois sued the manufacturer of a baby monitor they purchased at toy retailer Toys R Us.
After a month of using the monitor, a neighbor warned the family that its camera was broadcasting its signal into their home, enabling the neighbors to hear entire conversations within the nursery.
Yahoo News, reporting in 2011, noted that newer baby monitors at the time featured frequency hopping technology to randomly change channels in an attempt to ensure privacy, but that older, less-secure versions were still to be found in stores.
Critics have accused Gilbert of bringing the hacking on himself by leaving his router unsecured, such as this commenter on ABC Local’s coverage:
I'm certainly not condoning what happened, but it's not hacking if you don't bother to secure your router. It's 2013. Learn to use your equipment or hire someone who does. It's not really any different than plumbing or electric work.
Gilbert responded that the router was password-protected, and the firewall was enabled. The IP camera was also password-protected, he said.
Of course, devices may well be protected by passwords, but default passwords that haven't been changed are like having no password at all, as other commenters pointed out.
Video baby monitors can broadcast to TVs, hand-held receivers, or even over WiFi to PCs or smartphones.
That means you can keep an eye on your children from almost anywhere.
Unfortunately, it also means that others can, and do.
Be careful with these devices' security. That starts with changing default passwords.
Those who can't figure this out should ask for help from somebody with security expertise - somebody they trust with the safety of extremely precious things.
Image of baby monitor courtesy of Shutterstock.
Image of Marc Gilbert, courtesy of ABC News
I would love to more about this subject. Would this include cameras set up in the home for security protection? There is no sound, but they have the ones that you can view from a PC or smart phone while at work or away on vacation. Can those cameras be hacked into also? And if so, how can it be set up to be less vulnerable to such attacks? In layman's terms please, if anyone knows.
Yes. That is why laptops are not allowed into Security Areas. The cameras can be turned on from the net. If you have your computer in your bedroom, and if you are beautiful, you might become a video star.
That's why I keep my camera covered — even if someone turns it on, all they're going to see is the back of a Band-Aid! 😀
If it is connected to a network, it can be broken into, but the chances of someone actively trying to break into your home network are slim to none. There's a lot left unsaid about the technical aspects of this person's network, and I suspect with good reason, such as the kind of router, if it was provided by his ISP, and what kind of security is being used (WEP, WPA, WPA2…) If the default passwords are left it's easy to figure out. Also, many wireless routers from DSL providers, at least I know AT&T does this, come with predefined passwords on a label attached to the side. I'm more than sure there's an algorithm to creating those default passwords that has already been figured out.
As to how to better protect yourself, use a wireless security mechanism like WPA2-PSK (also called WPA2 Personal) with a strong passphrase. Instead of garbled characters, pick a short sentence you'll remember. WPA2 encrypts all traffic using that key so as long as you've got a hard to guess key, you should be fairly protected. Always change the default passwords for the administrator access to the router and for any password-protected, networked cameras. You can get a reasonable level of security without spending a lot of money.
Yes. Search on Naked Security for "webcam" and you'll come up with a dismaying number of hacks.
If you check out a recent one I wrote about the market for hacked webcams (yup, it exists: $1 for a webcam set up to spy on what hackers call a female "slave," $1 for 100 male slaves), you'll find a list of ways to protect yourself, gleaned from ChildNet International and the UK's Child Exploitation and Online Protection Centre.
The article: http://nakedsecurity.sophos.com/2013/06/21/stolen…
Absolutely. Home security cameras are commonly left completely open to the public internet. Every now and then, someone will post to Reddit or Hacker News about a site they wrote/discovered that congregates "all" of the open cameras into one webpage. They have a handy feature that also maps these cameras to a physical location on a map, so you can browse cameras in your local area.
How do you secure these? I'd recommend not installing the cameras and infrastructure yourself – have a pro do it. Once they set it up, make sure that you have to enter a username/password to view the cameras, and that the connection is over HTTPS.
Actually, it is still hacking. If you don't have permission to be on the system or device, then it is hacking. Just because someone leaves their door unlocked does not give anyone the right to walk in and take something.
Depends on your definition of hacking I guess. Just because someone leaves their door unlocked and you enter does not make you a thief, for example.
Unauthorized entry is unauthorized entry though, whether it's to a home or to someone's electronic devices. This is different than if a neighbor was watching TV and their configuration suddenly started picking up the baby monitor signals.
That said, I'd think there is some federal department that is responsible for such things; monitoring systems (baby especially, but also home, etc.) that are sold as such should not be using public broadcast methods; otherwise, the device is being sold fraudulently (it is advertised as a security device, but is actually decreasing security by broadcasting what is expected to be private). That's a little off topic here, as it seems that the device in question was "secure" but the network it was running on had been compromised.
Also keep in mind that the courts do measure blame and due diligence will definitely play a factor when all things are considered. Illegal, yes. But don't think just because it's your property that you won't get some of the blame for leaving the door wide open. Same reason some insurance companies will put you at fault if you leave your keys in your car and then it gets stolen.
Marc and Lauren are friends of ours. Lauren was a bridesmaid in my wedding. This really hit close to home as we have a 2 year old and use a baby monitor, but ours isn't accessible from the Internet.
The craziest thing is that they contacted their ISP (Comcast aka Comcrap) and were told that they couldn't find anything based upon their firewall's logs. They did discover that when the router was initially setup by a comcast tech, the firewall was setup to the lowest settings.
Another reason to set up stuff yourself or have a trusted IT savy friend do it for you!
Chuck, thanks for weighing in. Please convey my sympathies to the Gilberts. What a nasty shock it must have been for them. I agree with Marc: it's a blessing his daughter's cochlear implants were off and she didn't get frightened by this creep.
On a lighter note, I haven’t laughed at work that much in a while, just at the thought of a baby monitor gone bad and spouting obscenities at a sleeping child, then swiveling towards the parents. Such is my humor I guess. 🙂
Would you still laugh if the camera was pointed at you?
it depends what it caught me doing I suppose. But if it's like at a random moment when I'm in the shower or on the loo that's when I'd have an issue. But I do think it's funny, what lonervamp pointed out. It's like something out of Doctor Who.
I just visited my aunt in Maine last week and her wireless router and modem installed by Fairpoint was configured to use WEP. The password was the Mac address of the modem. I spent an hour or so (after cleaning her computer of malware) reconfiguring the modem/router combo to use WPA2 with AES and to use an SSID that is readable and with a strong memorable passphrase. I of course wrote it all down in her book where she keeps such things but it’s still better than what she had.
But yes, the ISPs and the techs that the ISPs use to set up such things are doing these kinds of things very poorly.
Craig M is ABSOLUTELY RIGHT! I try to teach people about Internet security, and 99% of them don’t get it. Get a firewall, set it to the most secure settings, turn off your computer when you are not using it, don’t send sensitive information over a wireless device, etc. Google is searching Gmail messages. And it’s silly to think that the NSA will stop spying on everyone connected to the Internet after the many billions of dollars it has spent on its equipment. The Internet is simply not secure.
May be funny to some and you may think it's not hacking, but to access someones system without permission is a crime (as McHuntley stated) and I hope the police are trying to find the culprit. You would think there is a limit to how far it would transmit, and assuming the culprit wasn't a radio person with a beam antenna or dish (I don't know what the frequency of baby monitors, but it's probably micro wave) to be able to pinpoint the person. So a local person, maybe a couple homes away.
This should be pursued by the local PD or at least reported to the FBI. They (FBI) has more funding a people that do this sort of stuff. The only way this stuff gets handled is to report it. If they get enough reports, they will do something.
The bottom line is if the door is open, don't go in, when computers are involved. Unless you like prison food and lifestyle. This guy was obviously an idiot and probably has a police record. If not now, he will have.
Jack
It was an IIP-based monitor, so the attacker could be sitting in a Starbucks in Amsterdam. The FBI will only investigate if harm was caused or damages exceed a certain level. Local police likely don't have the talent or time to follow this up. They could hire a private computer forensics investigator to track things down and then report to the appropriate authorities, but this is expensive and drawn-out.
In the short term, the best thing to do is to hire someone to secure the network and teach you how to maintain it yourself. This could be as easy as getting some local user group to hold a workshop for you and your friends (to defray costs).
Since it uses radio waves, the F.C.C., (Federal Communications Commission), has authority here, though they usually are accompanied by a Sheriff's deputy for enforcement issues. The maximum penalty for violating FCC rules is $10,000 And/or 10 years in a Federal Penitentiary FOR EACH DAY of a violation. A typical penalty would be more like $5,000 or 10,000, which would be mire than enough to dissuade most people. So in cases of hacking or other illegal acts involving any kind of radio emissions – including interference – don't forget "Uncle Charlie". AKA "Frank Charlie and Clyde", (the FCC).
I use a wireless video/audio baby monitor in my work shop as part of a cheap security system. I keep the monitor in my bedroom by my bed. Any noise or movement will trigger it and the monitor will turn on which wakes me. I have another baby monitor with only audio monitoring that I use in a tool shed. I believe they operate in the 900 MHz range. Several times the audio only one began broadcasting conversations and other activities from someone else's home. I never picked up a stray video feed, though. It did surprise me! I never listened beyond trying to see if I could ID the people so I could alert them, but it happens very infrequently.
Were someone to see my feeds they'd see tools hanging against a wall and a closed door. Big fun for some I guess!
This story is a bit confusing / misleading. Two different technologies appear to be mentioned here without discussion of either. Most baby monitors broadcast on the 900MHz or 2.4GHz spectrum. The news article mentions just driving around with a video monitor and picking up signals from random baby monitors. This can easily be done by anyone assuming the broadcasting camera is not using DSS / FHSS or encryption. However, the other thing mention in this story is the use of an IP cam. IP cams may share the same frequency, but the technology is completely different. IP cams need to be associated with a wireless network, and if you value privacy, you encrypt the data using the camera and router's encryption protocols. You cannot simply drive around a neighborhood and start snooping on an IP camera. This would require you to establish a network connection (join the network, get an IP address, etc) and then discover what address the IP camera is on and try to access it. If the network is encrypted using WPA2, this cannot be done within seconds. If you are not using encryption, accessing the network would be easy, but again, it cannot be done while just driving around as you will be in and out of range. The lesson here is, enable encryption and change default passwords. If you are using an older baby monitor, or one without some type of security, like DSS / FHSS, then your privacy will be compromised. This story also reminded me of the old cordless phones, which sometimes could be heard on baby monitors or a police scanner.
Thank you for the details, George. I'm sorry that the story was misleading or confusing. I'll get into the hairy details next time I write up anything similar, and I'll welcome your corrections then, as I do now.
What George said.
Trust no one.
If you have a microphone, smartphone, camera or computer attached to the Internet, then you are vulnerable to hacking. Understand your devices and how the security works on them. If they are unsecured, put them behind a hardware firewall.
If someone else set up a device for you and set your password(s), learn how to change them. The only person you can really depend on for your internet safety is YOU, and for many people, that's not saying a lot.
Is this where the Internet must come to a halt ?
Are we going to allow this to take it to the next step?
As you might know it is possible to teach a child words in his/her sleep.
With this contraption even via IPV6…
Horrific !!
That seems like a bit of an overreaction. "OMG! There's criminals using the internet! Shut it down!"
Because there weren't any criminals before the internet, were there?
At first, I thought this article was from theonion.com
LOL
Back in the mid 1980's I bought an ICOM R-7000 receiver. I picked up a lot of things on that like the old car phones in the 150 MHz range, cordless phones and baby monitors. The baby monitors have VERY sensitive microphones. I could hear a baby making baby noises but in the background I could hear what was going on in the entire house. I could hear the mom making dinner in the kitchen and the dad watching TV in the living room.
I wasn't looking for anything in particular, I was just tuning through the dial to see what was out there. I found a lot!
Lessee …
1. The toddler had a hearing impairment … *and* the aids were shut off, so the hacker's words were not heard by the baby!
2. The router was password-protected, *and* the firewall was enabled … *and* the IP camera was also password-protected! And the hacker still got through! But fortunately the toddler slept through everything! How convenient!
I'm not believing the parents at all. They were careless and are trying to avoid embarrassment by saying their equipment was secure.
Wait. Did ABC News test the availability of RF camera feeds when this was an IP cam? I so confused.
The baby monitors have both feeds. RF signals for the monitor that came with the unit and the optional IP feed in case the customer wants Internet access to the feed as well.
Lock that insane imbecile in prison forever!
Just think: Until recent technology, parents were able to keep tabs on their sleeping children just fine by walking to the room and checking on them. Sheesh! Is it necessary to by every techy toy that comes on the market?
"common sense" if the bedrooms were on another floor i'd want a baby monitor too , there are circumstances where a monitor is a necessity not a luxury ! never had one but i see the need for many families to have one ! every good idea has a down side 🙁
This "blame the victim" mentality by the tech community has to stop.
Sure he should have secured his router — but since when does leaving my door unlocked give anyone a right to come in and steal my property? It doesn't and the same should apply with technology.
Yes the homeowner was dumb for not securing his router but let's place the blame for this incident squarely where it belongs: on the intruder (hacker).