Earlier this month, a woman in South Carolina took to Facebook to claim that a baby monitor she recently purchased had been hacked to spy on her and her toddler. The device was sold under the brand Fredi and came equipped with a 360 degree IP camera, infrared night vision, microphone and speaker and WiFi connectability.
According to security researchers at Sec-Consult, this baby monitor, like other consumer surveillance devices, has a P2P cloud feature that is enabled by default.
“The device connects to a cloud server infrastructure and keeps this connection up. All supported smartphone and desktop apps can connect to the device via the cloud,” Sec-Consult researchers wrote in a blog. “From a usability perspective this makes it easier for users to interact with the product, since the user does not have to be in the same network (e.g. the same Wi-Fi network) to be able to connect to the device.”
However, this P2P cloud feature bypasses firewalls and allows remote connections into private networks. In other words, hackers can launch attacks on the exposed devices.
According to the researchers, a China-based company called Shenzhen Gwelltimes Technology developed the camera firmware and designed the hardware for the baby monitor.
Researchers suspect that this firm likely has the same business model as another Chinese firm -Hangzhou Xiongmai - which gained notoriety after it was revealed that a significant number of Mirai botnet comprised of Xiongmai devices.
“Here we have a Chinese company that is never mentioned anywhere, developing insecure products and sending our most private information home to their Chinese servers,” Sec-Consult researchers said. “Although they have been confronted with the security issues months ago, they have decided not to fix them.”
Hackers targeting IoT devices like smart baby monitors, smart TVs and even smart locks, is not new. In the wake of the now-infamous Mirai attacks, cybercriminals began aggressively creating botnets to enslave IoT devices and launch massive attacks. This trend continues and will likely remain a popular attack strategy as long as IoT devices continue to be designed with vulnerable security protections.