Hacking baby monitors is nothing new but the fact that there are thousands of vulnerable baby monitors out there is a big concern. Recently, the IT security researchers at Austrian firm SEC Consult have discovered a set of critical vulnerabilities in Mi-Cam baby monitors which allow hackers to take full control of these devices and spy on children.
Mi-Cam baby monitors can be hacked
Mi-Cam baby monitors are manufactured by a Chinese firm MiSafes and are equipped with Internet-connected video monitoring system along with 720P HD quality camera. These monitors allow parents to keep an eye on kids through Android and iOS devices, However, currently, these devices are vulnerable and other than parents, hackers can also spy on kids and perform a number of other tasks including “unauthenticated access and hijacking of arbitrary video baby monitors.”
According to researchers, there are total six vulnerabilities out of which one lets attackers breach the device’s security on Mi-Cam Android app without the need for client SSL certificate or password. The only thing an attacker has to do is use a proxy server in order to intercept communication between the monitor and smartphone.
This video shows how the vulnerability works
Another vulnerability exists in the device’s password forget function. Mi-Cam allows users to reset their password and in order to verify the user, it sends a 6-digit validation key to the email address used by the customer at the time of signing up. However, hackers can use brute force technique and compromise a targeted account.
Furthermore, one of the vulnerabilities lets attacker gain hardware level access to the device and extract the firmware since these devices hold “unlabeled Universal asynchronous receiver/transmitter (UART) interface.” Moreover, by extracting the firmware attackers can identify “very weak 4-digit default credentials for the root user accounts used by the video baby monitor.”
The firm has also identified that software used in these baby monitors are outdated and already affected by publically known vulnerabilities including those detailed in SEC Consult’s security advisory under the “Outdated and Vulnerable Software” section.
No response from the vendor
Currently, over 52,000 video baby monitors and user accounts are vulnerable but despite informing MiSafes on several occasions since December 2017, there has been no response from the company, therefore, the critical security flaws still exist in the affected product. The researchers strictly advise that users should stop using these baby monitors as there is no update available otherwise they might be the victim of non-stop hacking attempts.
Remember, Internet-connected (IoT) devices are highly vulnerable and not only allow hackers to scare kids but also let pedophiles can keep an eye on vulnerable children or in some cases record footages and sold on the dark web. Therefore, if you are using a baby monitor for your child make sure it is properly secured.