Your baby monitor is an Internet-connected spycam vulnerable to voyeurs and crooks

Researchers revealed ten major vulnerabilities in Internet-of-Things babycams from a variety of vendors ranging from spunky startups like Ibaby Labs to rock-ribbed (and deep-pocketed — attention, class actioneers!) giants like Philips.


Many of these cameras have no easy, networked means of getting a firmware update, either, making their zeroday bugs into foreverday bugs. Some of these bugs were simple programmer error, but Philips, ah, Philips: they shipped an Internet-connected home spycam whose default root login was admin and /ADMIN/. Security.

As you can see, there were several new findings across a range of vendors, all operating in the same space. Here at Rapid7, we believe this is not unique to the video baby monitor industry in particular, but is indicative of a larger, systemic problem with IoT in general. We've put together a collection of IoT resources, including a whitepaper and a FAQ, covering these issues, which should fill you in on where we're at on this IoT security journey. Join us next week for a live webinar where Mark Stanislav and Tod Beardsley will discuss these issues further, or just use the #IotSec hashtag on Twitter to catch our attention with a question or comment.

#IoTsec Disclosure: 10 New Vulnerabilities for Several Video Baby Monitors [Tod Beardsley/Rapid 7]