A nanny was spooked on Monday by a cyber creep peeping in on her via a baby monitor while she changed a baby’s diaper.
Local Texas news outlet KHOU reports that the nanny, Ashley Stanley, thought the 1-year-old girl’s parents were teasing her:
I thought it was her mom and dad playing a joke on me: 'Is there like a toy on or something? 'Cause that is creeping me out!'
The man’s voice, coming over the internet-enabled security camera, informed Stanley of her movements in the room, as well as commenting on the task at hand. Stanley quoted him:
Thats a really poopy diaper.
The nanny’s employers were not, in fact, playing a joke.
Rather, the intruder had broken through the security of the family’s password-protected Wi-Fi and then been able to access the camera, which was not, unfortunately, protected by more than the default password.
Both the parents and Stanley thought that the security camera was set up to only allow viewing on the mobile app when the phone was also on the network.
Not so, it turns out.
The device is a Foscam camera protected only by a default password, which is akin to no protection at all. (It’s so easy to guess weak or default passwords that a password-cracking program would probably guess them faster than you can type them.)
This is not the first baby monitor that’s been hijacked, by far.
In 2013, yet another cyber creep took over a baby monitor to spy on a 2-year-old Texas girl, to broadcast obscenities at the child, to swivel the camera so as to watch her shocked parents as they came in, and to then call the parents insulting names.
It’s not just baby monitors that are subject to getting hijacked, either.
In November 2014, a site was making extremely dubious white-hat claims about pointing out the dangers of not changing default passwords on IP cameras.
That site, Insecam.com, made clear exactly how far into our lives e-marauders can get: besides feeds from baby monitors in nurseries around the world, the site was allowing strangers to spy on people via security webcams delivering live feeds from bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.
Insecam.com claimed to tap into the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries – including, for example, Thailand, Sudan, the Netherlands, the UK, the US, Bolivia, Korea, and China.
These and other tales have motivated Foscam to make an important change to its cameras. As Foscam COO Chase Rhymes told KHOU, the cameras it’s manufactured in the past year force users to change default passwords.
Older cameras, however, may require a firmware upgrade, he said. And regardless of what camera model you buy, it’s imperative to make sure that you change the default password and username, Rhymes noted.
Please promise us you won’t choose a password like “password” or “123456”, nor any of the other head-bangers that pop up on year-end “top worst passwords” lists (fresh out of the bad-password bakery, here’s 2014’s!).
If somebody else has installed a camera for you or for any of your colleagues, friends or family, please grill the installer for details on what type of password the device shipped with: whether it was unique to the device (preferable) or required a password change upon installation (ditto) or whether it had a default password that needs changing.
Think of an internet camera with a default password as a window into your house that you’ve inadvertently left open.
As Paul Ducklin describes it, leaving that window open doesn’t justify somebody crawling through to wander through your home. That’s illegal, unethical and unjustifiable, plain and simple.
But why even give somebody the opportunity?
Close that window. Lock it. Change that password. Make it hard to guess.
To find out how to do that, watch our short, straight-talking video.
(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)
What you do in your bedroom or any room in your house is your business. Likewise, nobody should be sticking his nose where it doesn’t belong – including in your baby’s diaper.
Image of baby monitor courtesy of Shutterstock.
4 comments on “Baby monitor hijacked; change default password urges Foscam”
Better yet, do a better job of securing your wifi network.
No, it’s not the WiFi. For this hijacking they are coming in over your broadband connection.
If you set up the babycam so you can watch from your remote office, you need to open a path through your router. If you can get in, so can others unless a good password is used.
A combination of the two would be best.
In any article I read about this sort of thing (webcam remote monitoring). I really think writers don’t do enough to highlight or explain to non techies “how” this happened and always focus on the security of the camera – passwords etc.
While obviously important – I think Laurence’s comment above alludes to the fact that the main reason for this happening is down to how the internet router was setup. i.e. did it allow inbound connections?
If there was no inbound connections this simply could not happen – unless it was incredibly sophisticated attack. But for the majority of us this is unlikely to be the cause of such an event.
From most of the articles you’d think that simply turning the thing on means you’re going to be remotely viewed – and that’s simply not true if your router is configured correctly. (In my humble understanding)
I can’t fathom why this is always left out? – not just sophos articles – most are guilty.
End of rant. 😉