9 Comments

Summary:

It’s pretty worrying when a hacker can take over a baby monitor and start yelling obscenities at an infant girl. But the incident provides a taste of the future if makers of connected devices don’t think security-first.

Foscam baby monitor

The internet of things promises great things with its profusion of connected devices, but it also brings with it significant risks. My colleague Derrick Harris recently described many of those risks, several of which involve networked security cameras and smart TV webcams, but here’s a very real-world example of what can go wrong – and why the internet of things could be a security nightmare.

This week ABC News reported an incident that struck a Houston, Texas, couple and their infant girl. A European-accented hacker took control of the Foscam baby monitor that was keeping an eye on the girl and started cursing at her (as it happens, she’s deaf) and her parents. The hacker was also moving the camera around, so he could likely see through it too.

Structure Europe in article square

Unsurprisingly, that baby monitor is now disconnected and the parents say they’re unlikely to hook it up again. But the incident highlights a deeper problem that is a hot topic in the nascent internet of things industry, and it’s sure to be a subject for discussion at our “Do you really want all your things on the internet?” panel at Structure:Europe in London from 18-19 September, where experts such as Alicia Asin (Libelium CEO), Michael Simon (LogMeIn CEO), and Alexandra Deschamps-Sonsino (Good Night Lamp founder) should have a lot to say.

Many hackable things

According to the BBC, hackers have known for a while how to tap into these devices (and not just Foscam’s products, either). Security researchers told Foscam back in April that there were vulnerabilities in its baby monitor software — a big one was the fact that the device’s default admin username was “admin” and there was no password requirement. Attackers could also apparently scrape Foscam’s website for individual device codes, which they could then target.

Foscam issued a firmware update in June, boosting the device’s security to a certain extent. It’s not clear whether the Gilbert family, featured in that ABC report, installed the update — apparently they would have only known to do so if they had signed up to a firmware update newsletter.

Is that good enough? Probably not — a baby monitor will by definition be used in a sensitive situation where security is paramount. Updates should either happen automatically or all owners should be notified when such a critical patch is issued. And passwords should be strong.

Increased complexity

That said, when you take into account how many connected devices will be in our homes in the coming years — from door locks to thermostats — it becomes clear that homeowners will need to take a lot of security management into account in their daily lives.

Today, we’re used to updating the firmware on our phones and maybe our TVs. Tomorrow, things could be a lot more complicated. And, as always, the balance between security and convenience will be key to making sure the internet of things doesn’t turn scary.

You’re subscribed! If you like, you can update your settings

  1. This piece illustrates that a prerequisite for the ‘Internet of Things’ is the ‘Authentication of Things’!

  2. The issue isn’t having internet-connected devices becoming more ubiquitous, it’s buying products from companies that insist on rushing things out the door. We’ve known not to do this for a long time, but the risks with products that, oh, stream video from your home across the internet, are much greater.

    And really, this company should fire the entire team that let this happen. They won’t, of course, because it was plausibly the fault of management insisting that security wasn’t important when the developers tried to spend more time on it.

  3. No mention of the apparently insecure router. I doubt the attacker was within direct wireless range. Routers generally don’t come with a lot of open ports. I suspect the port in question was opened deliberately to allow offsite monitoring by the parents. You can’t fix stupid.

    1. Don’t assume, research: This was an IP camera, anyone with the IP and ID could access it. It was clearly the company’s fault for not requiring a password.

  4. W. David Stephenson Thursday, August 15, 2013

    I blogged on this issue several days ago http://bit.ly/1a7RJkm (and am trying to place an op-ed co-authored with my colleague, Chris Rezendes).

    It strikes me, from my prior life as a corporate crisis consultant, that this is just the kind of anecdote — because it strikes parents on such a primal level — that will be cited for years to come by privacy opponents of the IoT (heck, I’m certain that I’ll give it more mileage myself by bringing it up in my own speeches and writings, albeit as a clarion call for IoT companies to make security and privacy of equal rank to innovative technologies as their primary concerns).

    Mark my words: this is a make-it-or-break it moment for the IoT. People in IoT who don’t realize exactly how serious this kind of situation is are suffer the consequences!

  5. W. David Stephenson Thursday, August 15, 2013

    I just blogged about this incident (shar.es/yQh03 ), which I regard as a watershed for the IoT because it arouses such primal fears on the part of parents. It’s just the kind of anecdote that will be repeated by IoT opponents to discredit the field..

  6. To avoid your webacm being taken over without my specific approval, i use mywebcamlock.com. It is a small startup eith a cool product

  7. It looks like the user did not change his default password. That is akin to leaving the door unlocked to your front door — you just don’t do that. Here is the response from the Foscam US website:

    Due to recent exposure of Foscam cameras in the media, we feel it necessary to offer instructions on how to secure your Foscam cameras and urge all of our customers to take the below precautions as a matter of urgency. In order to keep your Foscam cameras secure and prevent various types of hacking and unauthorized access, please ensure to follow the steps outlined below, especially if you have set up port forwarding:

    1. Make sure your camera has the latest firmware installed for your Foscam camera model. The latest firmware for Foscam cameras utilizes protection against brute force attackers. Any attacker attempting multiple wrong password attempts consecutively will be locked out. You can download the latest firmware at http://www.foscam.us/firmware.html

    2. Never use the default username or password for your Foscam camera. Once your camera is fully set up it is imperative to change both the default username and password.

    3. Choose a username and password that is at least 8 – 10 characters or longer. Try to use a combination of lower-case and upper-case letters as well as numbers and special characters.

    4. Change your default port to a port in the 8100 or greater range. Hackers often target default ports and you do not want to make yourself an easy target. By using a non-standard port it will make it more difficult for hackers to find your camera.

    5. Check the logs of your Foscam cameras often. Foscam cameras have embedded logs which allow you to see exactly which IP addresses are accessing the camera. You will be able to tell if an outsider has gained access to your camera.

  8. This is the simple case where you have one device that isn’t autonomously talking to other devices.

    Machine to Machine interactions are where the security challenges of IoT become a lot more challenging. How do I know that the device that is telling my thermostat to adjust the temperature is authenticated and allowed to control that device?

    When you have chains of devices, how do i preserve the privacy of the information end to end?

    We are still in the early hype cycle for this technology and have a long way to go to make it safe and ubiquitous.

Comments have been disabled for this post