Misconfigured Baby Monitors Allow Unauthorized Viewing

A vulnerability affecting multiple baby monitors could allow someone to drop in and view a camera’s video stream, according to researchers. Potentially hundreds of thousands of live devices are impacted, they said.

The issue exists in the manufacturers’ implementation of the Real-Time Streaming Protocol (RTSP), which is a set of procedures used by various cameras to control their streaming media. It’s possible to misconfigure its implementation, so that no authentication is needed for unknown parties to connect, according to the SafetyDetectives cybersecurity team.

“Whilst this means that potentially harmful individuals could be able to access private images of your children, their bedrooms and possessions, this specific vulnerability is also concerning with regards to daycare centers – which are commonly known to stream video from inside kindergarten for onlooking parents and guardians,” researchers said. “If your baby monitor or any RTSP camera does not require parties to enter a password each time they connect to the video stream, the images shown on that stream are potentially unsecured, and therefore accessible to anyone.”

The specific models that the team tested that proved to be vulnerable include the Hipcam RealServer/V1.0; the webcamXP 5; and the Boa/0.94. 14rc21.

Initial research on Shodan showed large numbers of vulnerable devices connected to the internet, all over the world.

“Our team was able to identify unsecured devices either through their ‘server header,’ or their onscreen overlay that details the particular brand,” according to researchers, writing on Tuesday. “A server header is a strip of information provided with RTSP that details numerous factors, including the device type. The server header gives us evidence of which devices provide unauthorized access.”

Hundreds of Thousands of Potential Victims

The SafetyDetectives team first uncovered 110,000 open camera streams.

“Of these cameras, over half of them are being used as CCTV, providing surveillance for shops or the exterior of properties,” they explained. “Around 10 percent of these cameras are used for viewing house interiors, like living rooms or hallways. Most of the remaining cameras are baby monitors, being used to check up on children, or as cameras in child daycare centers, or retirement homes.”

Given the number of people in a daycare center at any given time, the number of individuals affected could be quite high, according to the report.

“There’s also the possibility that there are hundreds of thousands of additional streams yet undiscovered, that we simply do not have the time to sift through,” researchers said.

What Causes this Data Exposure?

The SafetyDetectives team didn’t provide granular technical details, but in general found four primary reasons for why baby monitors can become unsecured.

• Devices designed for local networks are streamed over the internet.
• Some devices can be misconfigured for use outside of a local network, without adequate authorization.
• IP webcams that are repackaged as baby monitors.
• Manufacturer oversight.

On the first two points, baby monitors are designed for use on local networks that are linked together in one physical location, such as a residence, an office or a school. Thus, some allow local devices to connect to their streams freely, with the assurance that the privatized, local network itself will provide enough security.

“Unfortunately, if an organization (such as a daycare center) was to stream with this type of device online and the connection isn’t password-protected, there are no security procedures in place to stop anyone from gaining access to these cameras,” according to the researchers.

Some cameras also allow a direct connection to a laptop or computer that also has access to the internet, opening up a potential attack avenue.

The latter two points have to do with manufacturer choices.

“In the name of cutting-corners, various companies have been known to rebrand IP webcams as baby monitors,” according to the report. “This is a common occurrence within the e-commerce space, where a number of e-commerce stores wrongly advertise cameras as products that are suitable for use as a baby monitor. In most cases, the original manufacturer has not intended, nor marketed, their product for use as such.”

So, if a parent uses these cameras to view their video streams from outside of the home, these devices can quite easily become misconfigured, allowing unauthorized access without the owners realizing it.

“Manufacturers also have a responsibility to warn their customers that they must secure their devices properly before taking them online,” researchers noted. “Many brands fail to warn customers in a way that is glaringly obvious, if at all. Unfortunately, the end result of manufacturer oversight can be a slapdash product without any of the important authentication procedures.”

How to Protect Children from Snoopers

The potential impact of these misconfigurations can be severe, the researchers pointed out. But there are steps a user can take to only allow access to people who are permitted to view the video stream.

“Many of these cameras are streaming directly and indirectly identifiable information,” researchers said. “This can include anything from images of your children to the interior of your house or daycare center. Some hackers are even able to find out the name and address of the user (through the use of additional programs).”

• Refer to the camera’s user guide to find out how to password-protect the device.
• If the device does not allow users to set a password, avoid exposing it to the internet altogether.
• Log into the home or facilty router and look for a setting called “access control” or “access list.” This allows users to whitelist specific IP addresses, allowing only those devices to connect. (Devices attempting to connect with the router will appear in a ‘blocked’ menu, and users can simply click ‘allow’ to grant them access.
• Research each device thoroughly before buying, to make sure it’s a legitimate baby monitor and not a repackaged Wi-Fi webcam.
• Daycare centers should make sure their devices are secured through password protection.

Is your small- to medium-sized business an easy mark for attackers? 

Threatpost WEBINAR: Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a  FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.