A New Age of Baby Monitors, Has Privacy Gone Out the Window?

With the increase in smart-home tech and IOT (Internet Of Things ), technology is being inserted into every device imaginable: Lose your keys? Get a tile. Forget to pick up milk? How about a smart fridge.

From lighting to stoves, security to creature comforts, technology is here to make our lives better. So when you enter a new phase of life, a trying time filled with unknowns, any device that could take away some stress would be welcomed with open arms. But sometimes what you don’t know can hurt you, or at least your privacy.

Smart baby monitors have been popping up in droves, magical little pieces of tech that can alert you if your baby is too cold, too hot, having trouble breathing, has rolled over etc. In the case of the Owlet Smart Sock, this simple device that slips on your baby’s foot (it is a sock after all) can track: heart rate, oxygen levels, and sleep cycles, and log all this info inside an app on your phone.

Or In the case of the Cocoon Cam, a video baby monitor that mounts above the crib, you can use the camera to monitor breaths without even having contact with the baby.

All of this technology is certainly easing stress of new parents and could have the potential to do a lot of good. There are some questions you should be asking before pulling the trigger on that new monitor, but first, a little background on these devices and their security.

These monitors communicate over the internet; this allows them to communicate with your smartphone or other devices from anywhere in the world. In some cases the monitors use the internet to talk to a remote server that can do advanced processing of the data being gathered. The way these devices talk with the outside world from behind your internet router and modem is through a figurative doorway called a port, this port is a hole punched through all the roadblocks like firewalls that allow outside devices to see it. In many cases these ports are exposed automatically using a system called Universal Plug and Play or UPnP, this enables the devices to connect to your smartphone and/or remote servers without the user having to know how to setup firewall rules and settings and to simply plug in the device and with little effort, be ready to use this new tech.

Pretty convenient, but there’s a problem. A door from the internet directly into your home network has just been installed, possibly without the user even realizing. So why is this a potential problem? well, that depends on the quality of the devices security.

These ports are a lot like installing a door into a wall of your home, obviously a wall is more secure, but a door can be secured with a lock. The quality of the door lock (among a few other things) will determine the security of your home, err.. network? The locks on the door could be considered similar to the coding of the password and its level of access. So here is the fun part, the other bits of code are similar to the structure of the wall, the door hinges, the door frame, etc. In other words, you don’t need a key to the lock if you can just remove the door or go through the wall. The bits of code that would allow circumventing the door are known as security vulnerabilities and are present in pretty much every bit of software. Larger companies can even have teams that attempt to find these vulnerabilities and figure out how they work, allowing the code writers to fix them. The Code of the device can then be updated to make it more secure.

But what does this all have to do with my baby monitor?

Well, a lot. Now that the baby monitor is connected to the internet, the door has been exposed to the world and its address can be found by common programs called port scanners, these programs are available to pretty much anyone willing to either find them or write their own. Once the port is found, a nefarious hacker, or a slightly bored but informed teenager, can work to exploit any weaknesses in the security and then get access to all the data behind the door. As we listed earlier this can be extensive, including: Video of your baby or house (some cameras can be aimed remotely), temperature, The breathing data/pulse, two way audio, and even your address. Scary hunh?

What can I do to protect myself?

The first way would be to not have an internet connected monitor. Now that the obvious one is out of the way, here are some tips:

1: Use a secure password, NOT YOUR NAME OR ADDRESS, many computers/smartphones/tablets have a built-in password generator and organizer that can generate a very secure password for each site and/or app you use and keep track of them for you.

2: Turn off UPnP in your router’s settings and only manually forward the ports you need. Better yet use a router with a VPN server to securely connect to your home network while away and not expose as few ports as necessary.

3:Only use reputable companies for your monitoring. While not foolproof, the larger/well known companies are more likely to find vulnerabilities and issue fixes.

4:Only Purchase a device with features you intend to use. If a feature is physically not available then it cannot be used by anyone, even a hacker ( No camera, No video ).

5: Be careful of what is visible to the cameras, things such as addresses and names that could be searched.

6: watch for any strange behavior from your devices. Such as the camera position changing on it’s own ( in the case of remote control cameras) getting locked out of your account or seeing large increases in internet usage by the device if you have the ability to monitor this.

Farewell Notes: Trust

All of this boils down to trust. When you place a device in your home, you are trusting the servers and device security of the company from which you purchased the device. If you don’t trust the company that made it, you shouldn’t trust the device with your privacy.

For more Information on the vulnerabilities of baby monitors and IOT, you can read a case study from Rapid7 here https://www.rapid7.com/docs/Hacking-IoT-A-Case-Study-on-Baby-Monitor-Exposures-and-Vulnerabilities.pdf

Author’s Disclaimer: The brands and products used inside this article are for example use only. We cannot vouch for the usability, quality or security of these products and ask that you research any products before you buy and use at your own risk. We have not received any promotional items, product, or reimbursement for any of the items mentioned.