Bitdefender researchers have discovered multiple security vulnerabilities in a widely used baby monitor, the iBaby Monitor M6S. Analysts, who partnered with PCMag, say that all it would take to exploit these cameras is someone who has access to one of these devices and a bit of rudimentary network skills. It's a piece of cake after that.
It's a terrifying scenario with far-reaching consequences for parents and just about anyone who cares about tech's impact on everyday privacy. And if you're keeping tabs, it's also disturbing proof that some of these companies have yet to learn anything about bolstering security — in spite of disturbing reports of hackers taking control of home surveillance devices like Ring and Nest cameras.
Easy breezy access to cloud storage —
Bitdefender researchers discovered that iBaby Monitor M6S cameras possess remarkably weak security infrastructure that would let hackers easily access recorded videos, photos, live feeds, and personal information in cloud storage run by Amazon Web Services. The analysts say that iBaby's secret and access ID keys open the doors to just about any home.
Stunningly weak server configuration —
iBaby monitors rely on a protocol titled MQ Telemetry Transport (MQTT). It's basically how it executes communication. The problem is that iBaby's MQTT server is so open and loose that if one person had the credentials to one monitor, they could easily access other iBaby cameras if they wanted to, and easily run cameras, take photos through the monitor, activate music, and record clips of unsuspecting homes.
Baffling silence —
For the parents who rely on iBaby cams to keep an eye on their little ones, these vulnerabilities sound undoubtedly nightmarish but its iBaby Labs' deafening silence that worsens the entire issue. According to PCMag, Bitdefender privately alerted the company about its security risks in May of 2019, and gave it 90 days to present a solution. Yet in spite of the team's obviously generous timeline, the creators of iBaby monitors have yet to speak up, let alone offer a remedy.
If you own one of these devices, our brutally honest advice would be to switch it for a monitor that is more robust and secure as Bitdefender warns, "Determined attackers are currently able to leverage these vulnerabilities to gain access to a user’s system and/or personal information within seconds [emphasis ours]."
Update: iBaby says it has taken steps to address the issues and will be rolling out an additional update to "further enhance data security." The company says there was no breach of data.
"We have immediately deactivated the potentially compromised AWS authentication information," the company says. "In addition, we've taken a few measures to tighten the security such as limited the cloud storage access and enhanced the MQTT server configuration to strictly limit the topics to which each device can subscribe to. We are continuing to enhance all our safety efforts."
