Another baby monitor is allowing strangers to spy on children

Internet-enabled cameras: they’re supposed to secure and monitor our babies, or our pets, or our homes and offices. Realistically? All too often, a child could hack them.

The latest news from the department of Internet of Things (IoT) gadgets that you can use to spy on people: SEC Consult, an Austrian cybersecurity company, on Wednesday urged owners of MiSafes Mi-Cam baby monitors to turn them off if they want to keep their kids from being eyeballed by prying eyes or chatted up by strangers roaming the internet.

One of what the firm called multiple critical vulnerabilities allows for the hijacking of arbitrary video baby monitors. An attacker can eavesdrop on nurseries and talk to whoever’s near the baby monitor by simply modifying a single HTTP request, SEC Consult says.

The tweaked HTTP request allows an attacker to get at information about a given cloud-based Mi-Cam customer account and whatever baby monitors are paired with it, and to view and interact with those connected webcams. This video demonstrates the attack.

The baby monitors also have outdated firmware riddled with numerous publicly known vulnerabilities; root access protected by only four digits worth of credentials (and default credentials, at that); and a password-forget function that sends a six-digit validation key that’s good for 30 minutes: plenty of time for a brute-force attack.

As far as the software goes, one of the problems with the Mi-Cam app is broken session management, SEC Consult says:

A number of critical API calls can be accessed by an attacker with arbitrary session tokens because of broken session management.

This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID [unique identifier].

SEC Consult isn’t giving away much detail about these vulnerabilities. That’s because it can’t figure out how to get through to the vendor to responsibly disclose them: it’s been trying to get in touch with MiSafes since December, without any luck. It’s also tried to ask the Chinese Computer Emergency Response Team for coordination support, but CERT/CC decided not to coordinate a response or to publish the vulnerabilities.

What’s the best you can do if you’re one of the 52,000 or so people who own one of these baby monitors?

Turn it off.

After that, you might want to check out our tips on how to secure your baby monitor or other IP cameras.