Misconfigured baby monitors exposing video stream online

The vulnerability affects baby monitors and cameras in over 19 countries.

A recent investigation by the SafetyDetectives cybersecurity team revealed a vulnerability in baby monitors due to their misconfiguration which could potentially allow dangerous parties to have unauthorized access to the camera’s video stream.

It was in mid-December 2020 that their team discovered various baby monitors amongst other RTSP (Real-Time Streaming Protocol) devices that did not require authentication for unknown parties to connect.

SEE: Creepy site shows live footage from 73,000 Private security cameras

RTSP is a set of protocols used by various cameras to control their streaming media which shows that it is not only baby monitors but also other cameras using RTSP (such as CCTV cameras) which could be unsecured and unsafe to use for some applications. 

This not only allows harmful individuals to have access to private images of their child, their bedroom, and possessions but also poses a great danger to daycare centers that use baby monitors to allow parents to have access to their child’s activities.

If you monitor your child through a live-feed camera, it is important to understand why this is can be harmful, how these unauthorized connections occur and how you can prevent others from blocking access to your baby monitors or other RTSP cameras.

Understanding the vulnerability

There are four primary scenarios in which the misconfiguration of RTSP cameras and baby monitors can lead to becoming unsecured and exposing data.

• Devices designed for local area networks used to stream over the internet.

A local network is a group of devices connected in the same physical location such as a residence, an office, or a school. Since it cannot be accessed by people outside the specified area, they become private, localized networks, secure from outside connections.

Many baby monitors are designed to be used over such local networks and allow any local device to stream freely with the assurance that the local network itself will provide enough security. 

However, if an organization (such as a daycare center) was to stream with this type of device online and the connection was not password-protected, there would be no security procedures in place to prevent anyone from gaining access to these cameras.

• Some devices can be misconfigured for use outside of a local network, without adequate authorization.

Some cameras may be designed for use within a local network, whilst also allowing a direct connection to your laptop or computer. With this type of camera, many users fail to implement the correct security procedures (such as password protection), resulting in a baby monitor that allows unauthorized access.

• IP webcams are repackaged as baby-monitors.

It has now become a usual occurrence within the e-commerce space for various companies to rebrand IP webcams as baby monitors. Let’s break down why this is extremely dangerous for oblivious parents who try to tamper with the configurations of the device to try to stream the video outside their house.

In most scenarios, the original manufacturer has not intended or marketed the cameras to be used online which leads to them becoming misconfigured and allowing unauthorized access without the owners realizing it. 

• Manufacturers oversight. 

Some manufacturers can unwittingly misconfigure baby monitors to become unsecured. This is often because they desire to provide a ‘pain-free’ installation process and simpler user experience for their customers. Manufacturers also have a responsibility to warn their customers that they must secure their devices properly before taking them online.

SEE: Watch out for pedophiles, 9 internet-connected baby cams can be hacked

Many brands fail to warn customers in a way that is glaringly obvious, if at all. Unfortunately, the end result of manufacturer oversight can be a slapdash product without any of the important authentication procedures.

Vulnerable Devices/Models

According to Safety Detectives’ blog post, the following are the vulnerable devices/models currently exposing live footages to the public:

• H264DVR 1.0
• webcamXP 5
• Boa/0.94. 14rc21
• Hipcam RealServer/V1.0

List of countries where these devices are being used

The researchers have also shared countries where these vulnerable cameras are currently operational. These include the following:

Dangers and risks that people are exposed to

There are potentially hundreds and thousands of people who are exposed to this vulnerability and half of these cameras are used as CCTV cameras, providing surveillance for shops, or the exterior of properties.

Almost 10% of these are used to view house interiors such as living rooms and hallways. The rest are mostly used as baby monitors to check up on children or as cameras in daycare centers, or retirement homes.

Considering that there is, in all likelihood, a large number of people affected on streams within kindergarten or retirement homes, there are potentially over a hundred thousand people affected by this vulnerability.

SEE: Baby pics, videos, location data from Peekaboo Moments app leaked online

Nonetheless, the impact of this vulnerability is huge since many of these cameras are streaming directly and indirectly identifiable information. This can include images of your children to the interior of your house or daycare center. Some hackers are even able to find out the name and address of the user (through the use of additional programs).

Predators could be collecting this information and these images of your children. Criminals are also able to use these cameras to organize their criminal activities, and may even access the controls of cameras that allow rotation.

How to prevent unauthorized access

There are two basic ways in which you can make sure that your devices only permit authorized access to the live stream. Firstly, you can try to set up password protection in your device’s configuration. Since different brands have different ways of doing this, you can check your device’s user guide to figure out how to password protect your cameras.

If your device does not allow you to set up a password, it is preferable that you avoid exposing it to the internet altogether. If you are struggling to set up a password, you can use the second method to safeguard it against snoopers. 

First of all, you must log onto your router. To log onto your router, type your router’s ‘IP address’ into your web browser. You can refer to your internet service provider for this information. Once your router’s ‘log on’ prompt has appeared, enter your service provider’s generic username and password (if you have not changed these details).

Again, this information can be found with your internet provider. Once logged onto your router, you are looking for a setting called ‘access control’ or ‘access list.’ You need to turn this on. Whilst many providers have a different menu layout, you can find out how to locate this information in your router’s user guide.

From here you can whitelist specific IP addresses, allowing only those devices to connect. Devices attempting to connect with your router will appear in a ‘blocked’ menu, and you can simply click ‘allow’ if you wish to grant them access.

You can also add whitelisted devices manually, by entering the device’s MAC address into the appropriate input field. A device’s MAC address can be found in its settings.

Do this for every device you would like to authorize, and your baby monitors are safe to use. Still, however, you can prevent these problems from arising in the first place by researching each device thoroughly before purchasing it.

SEE: Over 50,000 baby monitors can be hacked but its vendor is AWOL

It is important to realize that you should not rely on the brand’s images/explanation of the product; you want to make sure you are buying a legitimate baby monitor and not a repackaged wifi webcam. This is especially important when buying from reseller stores.

Did you enjoy reading this article? Don’t forget to like our page on Facebook and follow us on Twitter!