Hacking IoT baby monitor cameras may not be high on the priority list for most attackers, but that doesn’t mean someone is not getting off on remotely spying on families.
“My son is only 3 months old, and God knows what kind of images and videos out there of both of us and intimate moments,” Jamie Summitt told WCIV. “I feel guilty for not doing enough research on this. I didn’t know this was something I needed to look into. I thought baby monitors were kind of cut and dry. You find a baby monitor, you watch them napping, it was supposed to be a safety thing.”
The latest incident involves a $34 FREDI wireless baby camera monitor, which resembled a black-and-white puppy dog. It’s cute, and the warranty information posted on Amazon claims, “NO RISK of PERSONAL INFORMATION” and lifetime technical support. The camera can be controlled via a smartphone app and can turn 360 degrees.
“If you have this baby monitor, do yourself a favor and unplug it and throw it away RIGHT now,” Summit wrote on a Facebook post. If you only use the baby monitor while your infant is sleeping, then know that she only used it then, too.
Her story unfolds like this: Summit woke up with the baby monitor camera pointed at her, but she thought her husband had used the app to remotely check in on her. But that night, as the baby slept and she and her husband ate supper, her smartphone app let her know the camera was being moved again. It clearly was not her husband moving it.
“I looked over on my phone and saw that it was slowly panning over across the room to where our bed was and stopped,” Summitt told NPR. She explained that the camera was pointing to where she breastfed her son several times a day. “The camera paused on the empty bed, then moved back to the bassinet.”
If you are not security-focused, then being hacked may not be the first thought to pop into your head. Summit was not the first to jump to a “haunted” conclusion, although she initially believed the app was haunted and not the device. “Honestly, we were naive,” she told NPR. It didn’t take long for the couple to realize that either the device or the app had been hacked and to quickly unplug the baby monitor.
While you may be unsurprised by the hack as similar hacks have happened at least dozens of times over the years, she was floored.
“I would have never, ever bought something if I thought it was this easy of a security risk,” she added. “When I was making my baby registry, nobody warned me — no other mom said anything. It’s not common knowledge.”
“I feel so violated,” she wrote on Facebook. “This person has watched me day in and day out in the most personal and intimate moments between my son and I. I am supposed to be my son’s protector and have failed miserably. I honestly don’t ever want to go back into my own bedroom.”
The family said they called the North Charleston Police Department, but by then, when the cop wanted to see what would happen after plugging the monitor back in, the app had locked them out due to “insufficient permission.” Summit toldABC News that she suspects the “hacker ‘heard everything’ and ‘saw the officer.’”
No response from camera manufacturer
Although Summit attempted to contact the manufacturer, she said there was no response.
“We called Amazon and reported everything that happened,” she wrote on Facebook. “They then gave us the number and email for the company. The number was out of service and obviously no one has responded to the email.”
After learning that, Summit changed the password to a unique password she only used for the baby monitor. Rapid7’s director of research Tod Beardsley said it sounded like “she did all the right things.” It’s been over two years since Rapid7 gave 8 in 10 IoT baby monitors an “F” due to security flaws. Beardsley told NPR that is was “disheartening” that years later baby monitors with easily fixed flaws are still on the market.
“The fact that there are still no standards around this is a little depressing,” he said. “It will keep hackers in business for a long time.”
While it might be common knowledge to some of us that the internet of insecure things, including baby monitors, have shoddy-to-no security and therefore are easily hacked, this is a good reminder that it’s not common knowledge to everyone. If you see an internet-connected baby monitor listed on the wish list of a baby registry, then sound the alarm and let the parents know risks.
This article originally appeared on CSOOnline.com