The point of baby monitors is to ensure the safety of children.
It’s most certainly not to let cyber marauders invade a nursery’s privacy, swivel the camera around at will, use it to spy on infants, swear at the child, insult parents, give running commentary to diaper-changing nannies, play creepy music, make sexual noises, stream the footage to a website, or have its images indexed along with feeds from all the other unsecured webcams a spidering search engine can dig out from the web.
But that, unfortunately, is exactly what’s happened in a string of incidents involving baby monitors.
Now, months after researchers demonstrated the existence of serious vulnerabilities in the devices, New York City is launching an investigation into monitor manufacturers to learn more about the devices, their security practices, and whether known vulnerabilities have been patched.
The city’s Department of Consumer Affairs (DCA) announced on Wednesday that it’s issued subpoenas to a number of manufacturers.
At the same time, the DCA issued a warning to parents, advising them to research the devices to see if a given model, or its applications, has any known security vulnerabilities.
The DCA also posted a list of tips on how to keep the internet-connected cameras safe.
The agency wouldn’t name the companies it’s subpoenaed, but Wired reports that the agency has targeted a total of four manufacturers.
According to Wired, the DCA says that the subpoenas “demand to see evidence to back up claims that the companies make about the security of their devices, complaints they’ve received about unauthorized access to the cameras, their use of encryption on the devices, and their history of handling vulnerabilities discovered in the devices, including alerting customers, releasing patches, and whether those patches were actually implemented by the devices’ owners.”
Consumer Affairs Commissioner Julie Menin told the publication that if the companies aren’t living up to the promises of security they’ve made in their marketing, they could face civil fines for deceptive marketing practices.
Wired quotes her:
This is a situation where parents purchase a video monitor intending for it to give them peace of mind…and instead what we’re seeing is some terrifying instances of people hacking into them.
When these manufacturers say they keep your babies safe, and yet they’re not taking precautions they need to protect families’ data, that’s a real problem, and it’s deceptive marketing.
Insecure webcams are nothing new.
Note that there are many other types of webcams being picked up by hackers, not just babycams.
We recently wrote about Shodan, a search engine for internet-connected devices that crawls its way around the internet, connecting to likely services, logging what comes back, and creating a searchable index of the results.
Besides babies being spied on, Shodan has been picking up streams from a motley list of webcams. Ars Technica reports that it’s already made public images from “marijuana plantations, back rooms of banks, children, kitchens, living rooms, garages, front gardens, back gardens, ski slopes, swimming pools, colleges and schools, laboratories, and cash register cameras in retail stores.”
Sextortion is of course another subgenre of the crimes pulled by cyber creeps accessing unsecured webcams.
But the New York DCA says that it’s focusing its investigation on baby monitors because of all of the real-world incidents underscoring the validity of security researchers’ warnings.
The consumer protection agency is advising parents to conduct thorough research on devices before purchasing one; to use a strong, non-default, unique password (here’s how); to register the products and keep them patched; and to turn them off when they’re not in use.
To add to that list, we’ve put together some tips on how to secure your baby monitor.