Houston parents Marc Gilbert and his wife Lauren were recently terrified to discover an unfamiliar voice in their 2-year-old daughter’s room recently. Incredibly, the voice was cursing at the baby — Marc
told ABC News this week the voicecalled her a “effing moron,” and told her to “wake up you little slut.”
However, there was nobody in the room. The European-accented voice was coming from the couple’s baby monitor — it had been hacked.
It’s a worrying case, but may be part of a wider problem. Kashmir Hill of Forbes was able to deduce that the baby monitor in question used a Foscam wireless camera. Earlier this year, two researchers from security firm Qualys released details of serious security flaws with the Hong Kong-based Foscam brand, which is sometimes sold under other names in different places.
There appear to be a variety of ways to gain access to the cams. PC World reported in April that one method involved using the “Shodan search engine to search for an HTTP header specific to the Web-based user interfaces of the cameras.” With this an outsider could find a camera with the default “admin” user name and no password which could be accessed remotely — around 20% of users, according to Information Week.
Another involved a loophole in the camera’s web interface that allowed outsiders to take a “snapshot” of the device’s memory, including the admin username and password, while others relied on “brute force” attacks and other technical tactics. You can see full presentation from Qualys’ Sergey Shekyan and Artem Harutyunyan here.
Foscam has released a fix for some of the issues brought up by Qualys, but it’s not clear how many of the cams have the new firmware — it’s likely that the vast majority don’t. Information Week suggests that if you have a camera, the best option to prevent this from happening to you is to stop the camera from connecting to the wifi. This is not always possible, however.
Worryingly, Foscam may not be the only camera brand susceptible to these problems. Last year a different company named Trendnet was forced to put out an update to fix one security hole. Researchers also announced earlier last year that three different brands of standalone CCTV cameras could be accessed remotely. Instructions for hacking cameras and other appliances connected to the Internet can be found with a quick Google search, and while they’re not simple, people with some technical knowledge should be able to do it without too much hassle — Forbes’ Hill found it relatively easy to hack into a stranger’s “smart home” (with permission) last month via the Internet.
Quite why anyone would want to swear at a 2-year-old remotely is anyone’s guess, but thankfully the story isn’t as bad as it could be. Marc Gilbert told ABC News that his daughter didn’t wake up when she heard a stranger’s voice because she’s partially deaf.
Regardless, Gilbert is now leaving the baby monitor unplugged.