Baby monitor hijacked; change default password urges Foscam
Naked Security Naked Security

Baby monitor hijacked; change default password urges Foscam

A nanny was spooked last week by a cyber creep peeping in on her via a baby monitor while she changed a baby's diaper.

Image of baby monitor, courtesy of ShutterstockA nanny was spooked on Monday by a cyber creep peeping in on her via a baby monitor while she changed a baby’s diaper.

Local Texas news outlet KHOU reports that the nanny, Ashley Stanley, thought the 1-year-old girl’s parents were teasing her:

I thought it was her mom and dad playing a joke on me: 'Is there like a toy on or something? 'Cause that is creeping me out!'

The man’s voice, coming over the internet-enabled security camera, informed Stanley of her movements in the room, as well as commenting on the task at hand. Stanley quoted him:

Thats a really poopy diaper.

The nanny’s employers were not, in fact, playing a joke.

Rather, the intruder had broken through the security of the family’s password-protected Wi-Fi and then been able to access the camera, which was not, unfortunately, protected by more than the default password.

Both the parents and Stanley thought that the security camera was set up to only allow viewing on the mobile app when the phone was also on the network.

Not so, it turns out.

The device is a Foscam camera protected only by a default password, which is akin to no protection at all. (It’s so easy to guess weak or default passwords that a password-cracking program would probably guess them faster than you can type them.)

This is not the first baby monitor that’s been hijacked, by far.

In 2013, yet another cyber creep took over a baby monitor to spy on a 2-year-old Texas girl, to broadcast obscenities at the child, to swivel the camera so as to watch her shocked parents as they came in, and to then call the parents insulting names.

It’s not just baby monitors that are subject to getting hijacked, either.

In November 2014, a site was making extremely dubious white-hat claims about pointing out the dangers of not changing default passwords on IP cameras.

That site, Insecam.com, made clear exactly how far into our lives e-marauders can get: besides feeds from baby monitors in nurseries around the world, the site was allowing strangers to spy on people via security webcams delivering live feeds from bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.

Insecam.com claimed to tap into the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries – including, for example, Thailand, Sudan, the Netherlands, the UK, the US, Bolivia, Korea, and China.

These and other tales have motivated Foscam to make an important change to its cameras. As Foscam COO Chase Rhymes told KHOU, the cameras it’s manufactured in the past year force users to change default passwords.

Older cameras, however, may require a firmware upgrade, he said. And regardless of what camera model you buy, it’s imperative to make sure that you change the default password and username, Rhymes noted.

Please promise us you won’t choose a password like “password” or “123456”, nor any of the other head-bangers that pop up on year-end “top worst passwords” lists (fresh out of the bad-password bakery, here’s 2014’s!).

If somebody else has installed a camera for you or for any of your colleagues, friends or family, please grill the installer for details on what type of password the device shipped with: whether it was unique to the device (preferable) or required a password change upon installation (ditto) or whether it had a default password that needs changing.

Think of an internet camera with a default password as a window into your house that you’ve inadvertently left open.

As Paul Ducklin describes it, leaving that window open doesn’t justify somebody crawling through to wander through your home. That’s illegal, unethical and unjustifiable, plain and simple.

But why even give somebody the opportunity?

Close that window. Lock it. Change that password. Make it hard to guess.

To find out how to do that, watch our short, straight-talking video.

(Enjoy this video? You can check out more on the SophosLabs YouTube channel and subscribe if you like)

What you do in your bedroom or any room in your house is your business. Likewise, nobody should be sticking his nose where it doesn’t belong – including in your baby’s diaper.

Image of baby monitor courtesy of Shutterstock.