Two more nurseries have been invaded, with strangers apparently spying on parents and their babies via their baby monitors.
This is nuts. We’re hearing more and more about these kinds of crimes, but there’s nothing commonplace about the level of fear they’re causing as families’ privacy is invaded. It’s time we put some tools into parents’ hands to help.
First, the latest creep-out cyber nursery tales. Read on to the bottom for ways to help keep strangers out of your family’s business.
Baby monitor intrusion #1
A US mom in the state of Washington told KIRO TV that her son had been telling his parents for months that he was scared of the voices coming into his bedroom:
For months, my son was telling his family that the 'telephone' was telling him to stay in bed.
This past weekend, the mother heard those voices herself. While her son was napping, she heard a woman’s voice coming from the webcam in her son’s room.
At first, she thought the voices were coming from people outside the house.
But when she walked into the room, she said she heard another woman’s voice. This time, the voice said “Oh, watch this one, she’s coming in again.”
That’s when she saw the camera move in her direction.
The couple say they also heard a man’s voice saying, “Wake up, little boy, daddy’s coming for you,” while the camera followed the parents around the room.
The family, whose names were withheld for security purposes, had been using a wireless Foscam IP camera as a baby monitor.
As KIRO 7 reporter Kevin McCarty tells it, when the family called Foscam, they were told that
...It was possible that someone somewhere hacked into the system and were controlling it with a laptop or a smartphone app, but there was no way of knowing who that was or whether they were living nearby or on the other side of the country.
“Possible” that someone hacked into the system? “Undoubtedly” sounds like a better word choice, given a webcam swiveling about without its owners’ input and strangers’ voices coming through.
At any rate, determining whether or not the monitor had been taken over by e-marauders shouldn’t have been all that hard – all you have to do is check the logs to see what IP addresses have been accessing it, besides that of the parents.
That’s what a family did earlier this month after hearing creepy music coming from its Foscam baby monitor.
Indeed, at the time, Foscam told Computerworld that its cameras have “embedded logs which allow you to see exactly which IP addresses are accessing the camera”:
You will be able to tell if an outsider has gained access to your camera.
That couple, from Minnesota, looked up the IP address of the intruder and discovered that the music was actually emanating from overseas – Amsterdam, in fact.
They followed the IP address to a site with thousands of streams coming from cameras just like theirs, from at least 15 countries.
A similar site was found in November.
The site, Insecam.com, claimed to tap into the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries, allowing strangers to spy on people via security webcams delivering live feeds from bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.
These and other tales have motivated Foscam to do away with default passwords. The cameras it manufactures now, and for at least the past year, force users to change default passwords.
The Washington couple said that they did have a password and a username on the baby monitor but “someone got in anyway.”
At any rate, Foscam is far from the only webcam to be exploited by voyeurs. The second recent case of webcam takeover involves a Summer Infant brand wireless IP camera used as a baby monitor by a US mother in Kansas.
Baby monitor intrusion #2
The mom, Megan Klaassen, told KWCH 12 that she had a password on the baby monitor.
But she lives out in the country, and said her home Wi-Fi network was wide open.
After being followed around by her camera when putting her 3-month-old son down for a nap, “every single hair” on her body stood on end, she said.
I was freaked out like very, very scary actually. I knew someone was watching me. I yelled into the camera and I was like, 'quit watching me' but I didn't know what to do. I was just so scared and so shocked that this is actually happening to me.
Klaasen turned off the camera, returned it to the store to swap it for one without wireless capabilities, and says she’s learned a valuable lesson about securing her Wi-Fi network:
I want all the moms out there to know that you're not technically safe just because you either live in the country or you don't have any neighbors. I want them to know to put passwords on these things and monitor whether someone is accessing them or not.
Well said. But with so many of these webcam hijacking stories in the news nowadays, it seems clear that people could use some help beyond the simple admonition to “put a password on your camera.”
While that’s a great suggestion, there’re more to it than that, obviously: after all, both of these families DID have passwords on their monitors.
And as the Kansas cyber intrusion makes clear, often there’s more than one password involved, as well.
Too many families are being unnerved by these privacy intrusions.
We want to help. To that end, Naked Security’s Paul Ducklin has come up with some security recommendations to consider.
If you feel like you’re out of your depth, he says, by all means, get an IT-savvy friend to help.
How to keep Peeping Toms out of the nursery
1. You probably configure your Wi-Fi router via your browser. You want to set it up so that the configuration screens can only be accessed from your side of the network, either by plugging into one of the LAN (local-area network) ports on the back, or via Wi-Fi.
Some routers allow you to open things up so you can access the configuration screens from the WAN (wide-area) side, which means anyone on the internet who can hack or guess the administration password can mess with your settings.
There’s no standard name for this feature, and no standard configuration option to block it. But look for an option along the lines of “remote administration,” “remote management” or “setup via WAN,” and ensure it’s turned off.
2. The configuration screens on your router should be protected by a username and password that you have to enter either when you open one of the screens, or when you try to change something.
The username doesn’t matter too much (it is often “admin” or something similar), but the password is important. If you choose an easy password, anyone who gets onto your network can mess with your settings, whether deliberately or by accident.
Pick a proper password! Here’s how.
3. Your Wi-Fi setup needs a proper password as well, so that you can control who can connect in the first place.
There are three main Wi-Fi security levels: Open (no password), WEP and WPA2. (Older routers may offer WPA as well. That’s similar to WPA2, but if you have WPA2 on offer, choose that instead.)
Don’t use “Open,” or else anyone can connect, even a stranger walking past your house.
And don’t use WEP. It sounds secure, but there’s a bug in how it deals with encryption. Crooks can easily crack a WEP password in a minute or so. This bug can’t be fixed (it’s due to the algorithm used), so some newer routers don’t support WEP. But most routers do, so watch out.
Never use WEP. It gives a false sense of security.
Check out our video if you want to see Sophos bust wireless security myths.
4. Your router vendor probably publishes security updates every so often to patch software bugs that could help a crook break into your network.
Just as you apply Windows updates for security (you do, don’t you?), or OS X updates on your Mac, you need to keep up-to-date on your router.
Go to your vendor’s website and search for support articles relating to security updates. The operating system software for a router is usually called the “firmware.” You may find a dedicated download page for the latest firmware.
You will need to download the right firmware for your model number; you will probably find the model designation on a sticker somewhere on the router.
5. Your webcam may have a password, as well. If so, use it.
Don’t leave it blank, and don’t leave it set to the default value, which crooks probably know already.
If you aren’t sure how to set the password, try the vendor’s support forums.
And, as always, pick a proper password.
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Image of baby monitor courtesy of Shutterstock.
Tom
Baby cams are not safe, but neither is the rest of the Internet. We have come to rely on a medium that is not secure. I don’t even mind the NSA knowing what I do, but Google probably knows more about us than the NSA.
SizzleBizzle
Exactly that. Everyone’s so concerned about government being able to “spy” but in all honesty, I’m more worried about the amount of data that people freely give up to companies who they implicitly trust as the service or products they sell (very little is free, you don’t always pay with cash) makes them believe they’ll be popular and cool in society.
It’s the biggest trick played on the population of the world during the digital age so far; Ensure that your digital brand becomes trustworthy and socially acceptable and make sure the authorities look like the bad guys. Clever, very clever. We’ve all been duped. Government knows only a small amount about us compared to what private companies know about us.
Anyway, in relation to this story, what’s wrong with how my parents used to look after me or check on me? It just shows the IoT is a bad idea and I will be avoiding as much as I possibly can.
Anonymous
Or buy the camera pictured at the top of the story. It is the one I have and it is not IP based. Even knowing as much as I do about security I did not even consider for a second putting and IP based baby monitor in my home.
Me Too
Digital cameras are still around and work great for this purpose. Anything connected to the internet is vulnerable and the greatly increases your risk of exposure. I only use my digital monitor in the evenings to monitor the kids while sleeping and I would gladly give up convenience over security anytime. I like my privacy and unless I let you in the door, it will stay that way.
Anonymous
Disable UPNP
SecurityGuy
Except even with a camera password most models to NOT encrypt so your password goes in the clear. Using that free WiFi at a coffee shop and open up your remote camera app on your phone? Your password can be stolen by anyone else near that coffee shop listening in.
Paul Ducklin
One reason for allowing access to your LAN (local network at home) _only_ from the LAN itself, not from out on the internet.
SizzleBizzle
Or just get off your a$$ and check on your kids. Burns calories too; double win!
Jesse
The big issue is that most of these come with a dynamic dns feature enabled by default. If you don’t need access to it remotely, disable that feature (although some cheaper models are reported to keep it enabled anyway). Like Paul said above, if you don’t need access over the internet, disable that option.
Jim
In number 3 of Paul’s list of things to make your nursery safer, I would add “Use WPA2. If your router doesn’t support WPA2, buy a different one.”
Paul Ducklin
I haven’t seen a router that supports WPA and not WPA2. But it’s OK to use WPA if the choices don’t include WPA2. Just don’t use WEP!
Jim
My thinking was that if your router only supports WEP, it’s far too old to be useful. (I wasn’t really thinking of WPA vs. WPA2; your point is well-taken.)
Paul O'Donovan
Thanks for hopefully taking on my concerns from the last post about babymonitors and posting this with references to the fact that alot of the security is based about the router, as well as the camera.
Ted Cheese
Interesting that FOSCAM update their firmware to force an owner to change the default settings on first login was implemented over a year ago. However people like the ones in the article will never check for updates, they are only interested in opening a box and pushing the power expecting instant results without any regard for own privacy and security until it’s too late.
KogaShuko
I find it funny how people are quick to blame an unsecure wifi connection for this issue. This is not the case here. The issue is the cloud service that is bundled with the web cam. We just looked at our summer webcam that my wife felt compelled to buy when we have a secure LAN dedicated to our video security network at the house. It can only be accessed by someone who knows our specific IP address, the port number, and complex password. Otherwise that particular LAN is isolated from the internet and has the same access rules for other PCs on the home network. The cloud service on the other hand sends the video stream to the cloud. It opens a specific port on the users router that stays open. I cant even tell you if the video stream is encrypted. However, anyone with access to the cloud server can access the video on the camera. NOT GOOD.
To sum up, the issue here is the simple stupid cloud service and not the security of the wifi network.
Jonah Hill
Really amazing article. Since the hackers around are more active than before, we need more ideas to secure the monitors.