Another mouthbreather with nothing better to do than hack a baby monitor and broadcast their “love” for a 3-year-old has apparently struck again.
This time, it happened to a family in Seattle.
According to local broadcaster King 5, a couple who asked to be identified only as Jo and John said that their daughter, Jaden, was spied on by a stranger who spoke to the tot via a babycam last week. The King 5 segment is also available on Insider.
What Jaden’s mom, Jo, told King 5:
We were both downstairs working in our office here, and our daughter called out. She’s saying, ‘Mommy, mommy.’ She said, ‘The voice is talking to me.’
After Jo went upstairs to check, here’s what she heard:
I said, ‘What’s going on?’ And she said the man said, ‘Jaden, I love you.’ And I said, ‘What!’
Neither parent heard the voice of the hacker first-hand. At first, they thought nothing of it. But then, the couple said, John’s mother heard a stranger’s voice coming from upstairs last week. Meanwhile, Jaden’s story has stayed consistent: yes, the voice comes from the camera, no, not from a nearby stuffed animal.
Jo and John also noticed that the camera had been mysteriously resetting itself, moving its focus from its typical angle of looking down into Jaden’s crib, to instead peer up, into the room, without their input.
The spycam in question
The couple say that the baby monitor is a Taococo FREDI model that they got as a baby shower gift for their youngest child about six months ago. Going for around $50 on Amazon, it’s a Wi-Fi-enabled webcam that lets people keep an eye on their babies, their elders, their pets, or, surreptitiously, their nannies, beaming out a live stream to phones “any time, no matter where you are.”
As SEC-Consult has previously reported, it’s a little tough to figure out exactly who manufactures these webcams. A quick search on Alibaba.com returns several suppliers for this type of camera, most of which offer “OEM/ODM” services, including custom branding, for wholesale customers.
One of the OEMs, Shenzhen Gwelltimes Technology Co., Ltd., develops the camera firmware, designs the hardware and operates the “P2P Cloud” service that’s enabled by default and which is typical of consumer-grade surveillance products. The cloud service makes it easy for users to access video data no matter where they are, from their phones or desktops.
However, the fact that there’s an internet connection involved raises all sorts of security questions, such as whether the stream is encrypted or whether that connection can be intercepted by hackers. Another question: who’s monitoring the servers? A country that’s governed by data privacy laws such as the General Data Protection Regulation (GDPR)? Or a country that isn’t, such as China?
As it is, the “P2P Cloud” service was successfully attacked in 2017 by Berlin-based Security Research Labs. The researchers started by scanning for valid device IDs, brute-forcing passwords, and then exploiting missing firmware update integrity/authenticity checks to gain remote code execution (RCE) and persistence on the device.
To somebody who just wants to make sure their baby’s OK – that’s a lot of “yikes!”.
A history of hacks
In 2018, it was 24-year-old Jamie Summit whose $34 FREDI wireless baby monitor was hacked by a stranger who spied on her, moving the camera to face the bed where she breastfed her 3-month-old son.
Summit told WCIV that she felt guilty “for not doing enough research on this.”
I didn’t know this was something I needed to look into. I thought baby monitors were kind of cut and dry. You find a baby monitor, you watch them napping, it was supposed to be a safety thing.
How to research a baby monitor
About a year ago, Naked Security’s Maria Varmazis was in the market for a baby monitor. Unlike many parents of newborns, Maria was, in fact, very aware of the need to research the safety of baby monitors. After she did, she put together this guide on how to buy and set up a safe and secure monitor.
Using Maria’s tips, I put together the following list of questions for the OEM behind the FREDI monitor… a monitor that Mozilla has deemed to be easily hacked, from a company that seems to lack a privacy policy.
I’ll update the story if I hear back, though nobody who’s looked into this particular monitor has reportedly ever heard back from the manufacturer/OEM.
- Does this product offer at least SSL/TLS encryption for video transmission over the internet?
- Does it offer AES for encrypting any data that’s stored on a device or in the cloud?
- Does this baby monitor use a default password?
- Does the product force customers to change the default password before using the baby monitor?
- Does your company have a privacy policy? If so, please send a link to that policy.
Feel free to adapt those questions in order to do your own research into babycams, and most certainly feel free to share what you find, in the comments section below.
Mahhn
How about, restrict the camera to local network access only (block it at the firewall) and access the camera by VPNing into your home PC to look at the camera. You can save months of work by keeping it simple like that. And Sophos has a free home firewall that would fit the bill, and includes VPN tools.
Joe Norton
How about turning off UPNP on your router or baby cam, so the baby cam won’t expose itself to the internet.