Skip to main content

Security experts find baby monitor bug that could let strangers watch your kids

iBaby Monitor M6S
(Image credit: iBaby)

Update (February 28 2020)

In light of BitDefender's findings, iBaby Labs has issued the following advice to its customers:

Dear iBaby users,

After a day of research and investigating the potential issue as posted on several media sources, we have the following updates:

The issue:

Online resources reported potential vulnerabilities of iBaby M6S on February 26-27th.

What iBaby has done:

We have immediately deactivated the potentially compromised AWS authentication information. In addition, we've taken a few measures to tighten the security such as limited the cloud storage access and enhanced the MQTT server configuration to strictly limit the topics to which each device can subscribe to. We are continuing to enhance all our safety efforts.

Information that could have been potentially impacted:

Some information uploaded to the cloud storage S3 by the device. So far, no hackings have been spotted and no critical information regarding your account was affected (username, password).

What you can do:

Since there was no breach of data, your iBaby account has been secure and protected. However, as a security measure, you should periodically change your password and delete inactive invited users. We also recommend that you do not use a similar password to other websites.

What iBaby will do:

Soon we will also release a firmware update to be pushed out to your device. Once it's available, you will receive a notification. This will further enhance data security.

Since iBaby Labs was established in 2011, customer security has been our #1 priority. We sincerely thank you to our loyal users for over ten generations of products.

We are so thankful to have had our iBaby monitors featured in many articles and reputable online channels and nominated as top devices in the baby monitor industry. We are also thankful for the researcher's and reporter's in-depth reports and help to build a better IoT ecosystem for everyone. We will continue to strive to design and produce the best baby monitors on the market!

More information

If you have any further question, please feel free to contact our team: support@ibabylabs.com or visit our website www.ibabylabs.com

If you are a member of the media and would like to reach out to us, please email us at media@ibabylabs.com

Regards,

iBaby Labs  

Update (February 28 2020)

iBaby has issued the following statement in response to our request for a comment on BitDefender's findings: 

"It has come to our attention that certain online articles (published Feb. 26-27th, 2020) regarding the vulnerabilities of our iBaby M6S have caused concerns. We want to reassure you that the security of our customers’ database is and has always been our utmost #1 priority.

"We follow strict government privacy guidelines and use the industry’s highest standards to guard the safety of our customers’ data. 

"However, we are quickly researching these reports and verifying the validity of the claims.  

"Right now we have not received any data compromising reports. We are also working with members of the media to research and investigate their reports."

Original story continues below

Security researchers have discovered a vulnerability in a popular video baby monitor, which could allow strangers to view footage from its camera, and even take control of the device remotely.

One the face of it, a smart baby monitor seems like a great idea for new parent, allowing them to keep an eye on their kids using a smartphone app. Unfortunately, if security measures aren't implemented properly, they can be a serious privacy risk.

Experts from Bitdefender (in collaboration with PCMag) discovered a severe vulnerability with the iBaby Monitor M6S, which lets third parties access stored files, obtain personal information, and take over the camera itself.

Diving into the device's firmware revealed that, although the camera uses strong encryption standards, they aren't properly implemented. The camera sends encrypted data to iBaby's servers using HTTPS, but the security certificate isn't validated, allowing it to be intercepted by a man-in-the-middle attack.

What you can do

So just how likely is it for anyone to exploit such a weakness? Perhaps more than you'd expect. 

At a security demonstration for the release of the Bitdefender Box, TechRadar saw just how easy it is to find and take remote control of a poorly secured IP camera. It's remarkably straightforward, requiring no expert equipment and little specialist knowledge.

Many cameras are even more vulnerable than the iBaby monitor, thanks to problems like hard-coded admin logins, and firmware based on old open source code with well-publicized weaknesses.

Bitdefender and TechRadar have contacted iBaby for comment, but so far the company has yet to reply. Hopefully it will soon respond to the researchers' findings and issue an update that will patch the vulnerability, but for the time being the only 'solution' is to disconnect the device from your network.

Internet of Things devices can be enormously useful, but it pays to be cautious. It's wise to only buy products from known brands that will hold themselves (and be held) to strict standards. Always install any firmware updates as soon as they become available, and subscribe to email notifications from the company so you're made aware if anything goes awry.

It's also worth considering investing in a hardware firewall that will monitor incoming and outgoing network traffic for all your devices, and alert you if anything looks unusual.