Griefer hacks baby monitor, terrifies toddler with spooky voices

bf2a8163e6514603292138dfb61512d9

Remember how, back in September 2015, researchers revealed that virtually every "smart" baby-monitor they tested was riddled with security vulnerabilities that let strangers seize control over it, spying on you and your family?

Predictably enough, accounts are now surfacing of voyeurs and griefers who are using these capabilities to spy on, and taunt babies.

Jay and Sarah, parents in San Francisco, couldn't figure out what their three-year-old meant when he said he was scared to sleep at night because the "phone" kept talking to him, but then one night Sarah walked by and heard a stranger's voice coming out of the monitor, saying, "Wake up little boy, daddy's looking for you."

When Sarah walked in the room, the camera's night-vision lens turned to examine her and the voice added, "look someone's coming into view."

Another family in Minnesota discovered their baby-monitor had been hacked when they found photos of their baby online, apparently taken covertly with their monitor.

An "expert" in the report advises changing your wifi password and the PIN for your baby-monitor, but that will probably not do much, given the deep, extensive vulnerabilities in so many popular models.

What's more, it's only a matter of time until one of the cloud-based companies is hacked, allowing all its video-streams to be compromised.

We actually returned a home "smart" CCTV last summer. It promised to use motion-detection to trigger a video-stream sent, via the cloud, to your phone. This sounded like it had a lot of potential for mischief to me, but I don't have the chops to reverse-engineer and test the device. However, a quick look at the device's FAQ revealed this entry:

"We have strict internal policies and barriers in place to ensure that all personal customer data remains private and secure within the XXXX Cloud at all times. Only select XXXX employees have access keys to systems that contain sensitive customer information. Authorized access to the XXXX Cloud is granted on a least-privilege basis."

A followup email verified that the company didn't have the option of end-to-end encryption. By design, anyone who could successfully impersonate a "select employee" could watch all the video of all of the company's customers, everywhere in the world. The only thing protecting all this was a startup that could fold tomorrow, and whose priorities would shift from second to second as they "pivoted" while seeking a profitable business or an exit to a larger company.

That was enough for me. We sent it back.

Horrified, the couple took immediate action and phoned Foscam, the manufacturer of the monitor, who explained it was possible their device was hacked and being controlled by someone using a smartphone app or laptop, KDVR reports.

Concerned that the hacker may have further intentions, the family has made safety a top priority in their home and is using their harrowing experience to inform others of the potential dangers of baby monitors.

Stranger hacks family's baby monitor and talks to child at night [Chante Owens/San Francisco Globe]

(Thanks, Fipi Lele!)

Start the discussion at bbs.boingboing.net