back to article Rock-a-byte, baby: IoT tot-monitoring camera lets miscreants watch 10,000s of kids online

More than 52,000 internet-connected Mi-Cam baby monitors are broadcasting sound and video to whoever comes looking, researchers have claimed. These Wi-Fi gizmos, built by Chinese biz MiSafes, stream 720p video and two-way audio in real-time to apps running on parents' smartphones, via Amazon cloud servers. The application …

  1. Zog_but_not_the_first
    FAIL

    Internet of shit

    Ain't that the truth.

    1. This post has been deleted by its author

  2. rmason

    This is neither..

    This is neither news, nor a surprise. I'm surprised they even bothered to test it.

    Joe public doesn't know or care. Simple as that. While that fact remains true, and the accompanying fact of people liking cheap things, built down to a certain price, there never will be any security nor should there be an expectation of security.

    I'm sure they'd all love the idea of it, but equally would they buy the equivalent gadget at double the cost, or an extra 100 quid etc? to cover the extra costs in dev and manufacture. Would they fuck. It'd be back to amazon/ebay/aliexpress/gearbest for the 29.99 one.

    1. Anonymous Coward
      Anonymous Coward

      Re: Joe public doesn't know or care

      I'm inclined to believe they do care. Instead, it's just that they think it's not their /babycam/ (or whatever) that some supposed random internet bad-guy is going to look at - just like despite all the crimes and accidents that happen, most people don't get burgled, don't have a serious car accident, or don't get cancer (etc). So the typical thought process is "its not that common, and anyway it's much more likely to happen to somebody else - I reckon I'm pretty safe".

      What they don't get is that since IoT things are computers, they can be exploited en-masse in an automated way. Most other bad things, the ones people tend to expect they might have to worry about, aren't or can't be. Their cultural or psychological models of "bad things" are not built to cope with how things work on the internet.

      1. Eddy Ito

        Re: Joe public doesn't know or care

        Maybe they just think they're getting an internet of babysitters with millions of people checking up on their precious little tot at all hours of the day and night to make sure the little angel is safe and secure.

        What? Why are you laughing? It is at least statistically possible you know!

      2. wyatt

        Re: Joe public doesn't know or care

        No, I can confirm they don't care. My Father in Law setup CCTV at his house. Asked if he wanted to make it 'secure' so that only he could view it he said no, he didn't care as it was only his house. Setting up a VPN would have been straight forward, I had the hardware so it wouldn't have cost him anything.

  3. Anonymous Coward
    Anonymous Coward

    "The main problems..."

    Is why this has to go to a cloud service at all. Just how far are you from one of the biggest investments you've ever made? What was the point in having the kid if you can't look after it?

    ... Father-to-be.

    1. spold Silver badge

      Re: "The main problems..."

      >why this has to go to a cloud service at all...

      So when they realise they have a crappy failing business model that doesn't provide any recurring revenue they can start charging for storing video... same as the IoS security and door-bell video products.

      Oh and so baby can create their own You-tube (You-Pooed?) content - Baby Broadcasting Channel "Coos at 10".

      1. Warm Braw

        Re: "The main problems..."

        a crappy failing business model that doesn't provide any recurring revenue

        I was looking into how the Amazon Echo interacts with other local "smart" devices and this seems to be the other big flaw (the other one being the spy-in-the-room issue). You have two devices that are both connected together on a local network yet the Alexa back-end can only communicate with your home automation hub (for example) via a publicly-accessible webserver - it can't send that data back to the Echo and have it pass it on to the destination device in the same room.

        So not only do you have to wonder how Amazon is going to get the recurring revenue to pay for the recurring costs of running Alexa in the cloud, you have to ask the same question about every device it communicates with and has to have a cloud service even if it's merely a conduit for data.

      2. rdhood

        Re: "The main problems..."

        "So when they realise they have a crappy failing business model that doesn't provide any recurring revenue they can start charging for storing video"

        This. everyone wants another revenue stream. The fact is, there are apps out there that will coordinate RTSP streams from multiple cameras to a storage device ... no 3rd party internet required. But those manufacturers that DID support that in their cheap cameras , INCLUDING MI, have removed that functionality so that they could charge you for cloud storage and viewing. That is a big steaming pile o'crap that is really killing the home security setup, as well as any sort of privacy.

    2. Anonymous Coward
      Anonymous Coward

      Re: "The main problems..."

      Never used one of these things but I would assume that when the nipper has been put to bed you can keep an eye on them from downstairs for peace of mind.

      As for cloud I wouldn't touch a device that used the cloud with a twenty foot barge pole because I can guarantee once this company stops selling them it'll get switched off.

    3. Voland's right hand Silver badge

      Re: "The main problems..."

      Most of them do not.

      However the only of PREVENTING them from going to a cloud service is a firewall.

      So the first thing you do when it comes from a shop is to see if it can be configured to operate in a firewalled DMZ using motion or similar software

      It it cannot - you send it back to where it came from and thank god for the distance selling regulation.

    4. Cynic_999

      Re: "The main problems..."

      "

      What was the point in having the kid if you can't look after it?

      "

      OTOH I really don't see how a random stranger (even if he is a pedoterrorist), can cause or facilitate any harm to your sprog by looking at the image of said offspring. The voyeur will not even know the address where the camera is located. It's even money that the baby's photo will already be plastered all over a few social media accounts that anyone can access. Just avoid giving the baby your current credit card as a teething aid when it is within sight of any Internet connected HD camera.

      1. Kernel

        Re: "The main problems..."

        " The voyeur will not even know the address where the camera is located. "

        Our kids now have kids of their own so this only affects me indirectly - but I won't be suggesting to them that the monitors are not sending back enough information about the AP they're connected to, router public IP address, etc., for this to be a safe assumption.

      2. Black Betty

        Re: "The main problems..."

        Apart from the obvious creep factor of having random strangers peering over your shoulder whilst you change your kid's messy bum, what of older children?

        Plenty of kids roam about the house in their undies or less.

        1. Cynic_999

          Re: "The main problems..."

          "

          Plenty of kids roam about the house in their undies or less.

          "

          And? Just another creep factor. So long as nobody knows that the kid is being seen by a perv, there is zero harm caused.

      3. Cuddles

        Re: "The main problems..."

        "OTOH I really don't see how a random stranger (even if he is a pedoterrorist), can cause or facilitate any harm to your sprog by looking at the image of said offspring."

        They probably can't. The problem is that images of offspring are unlikely to be the only thing the device ever sees. Identity theft is generally a problem not because someone manages to get hold of important things like passports and birth certificates, but because a whole load of seemingly innocuous information can add up to allow nasty things to be done. An insecure camera microphone, even if it's only on for a couple of hours per day in a couple of rooms, can pick up all kinds of information about your location, habits, relationship, valuables, and so on. And that's before you even start looking at the more obvious things such as what happens when mummy and/or daddy jump out of bed in the middle of the night to respond to a noise, and now there are naked pictures of them all over the internet.

        Just because something is sold as a baby monitor, that does not mean the only things it's capable of is monitoring babies. Unknowingly livestreaming a significant portion of your home life just isn't a great idea; the potential problems go far beyond having a stranger see a sleeping baby.

  4. frank ly

    Perhaps it's working as intended

    "... 720p video and two-way audio in real-time ..."

    "... China's National Computer Network Emergency Response Team were also contacted, looked at the problems, and decided not to publish an advisory of its own."

  5. Nick Ryan Silver badge

    Not surprised

    Considering that the non-web enabled wifi baby monitors have almost exactly zero security applied*, I can't see why the incompetent manufacturers would care more about Internet enabled devices.

    * I have a Phillips wireless baby monitor camera (some recent model or other). So does somebody else in the nearby area and as a result I can sometimes see flashes of their child's room instead of my own. Fucking genius.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not surprised

      You can always switch channels, usually in the battery compartment.

      1. Martin an gof Silver badge

        Re: Not surprised

        You can always switch channels

        But the channels are not encrypted, and anyone with the will could tune-in. Wardriving for baby monitors?

        The difference is that the non-net type needs proximity to be tapped. The IoT type can be tapped from anywhere with an internet connection.

        M.

  6. tiggity Silver badge

    web cams, baby monitors etc

    Have historically being a security nightmare

    It will be a news story when one does not have mega security flaws.

    @ Nick Ryan

    Those baby monitors are useless, relative of mine used one to monitor ill relative when she was asleep (ill relative in separate room with various medical kit, she was in different room to sleep when not caring for him) - idea being if he moaned then baby monitor amplified noise would wake her (as she had slept through his actual calls on a couple of occasions with his voice being weak and rooms a few m apart.

    She occasionally got woken by baby noises from nearby house that would sometimes interfere and be received on her monitor.

  7. Christian Berger

    Luckily there's a pin-header and a simple to guess root password

    So it would be simple to just flash a different firmware without that cloud stuff onto it.

  8. Zog_but_not_the_first
    Boffin

    It doesn't help really...

    But I knocked up my jobbing camera to keep an eye on things using the good 'ole Raspberry Pi.

  9. Kevin Johnston

    A question...

    Is there any basic security concept that they have implemented correctly or are they likely to become the model answer for 'How not to secure a networked device'?

  10. Pen-y-gors

    Silver lining

    Not at all surprising, but there is a good side. Think of this as crowd-sourcing your baby-sitting. Instead of paying vast sums to a teenager who raids your fridge, booze cupboard and porn collection, while doing squishy things with her boyfriend on the sofa, you can just rely on thousands of people out on t'interwebs to watch junior for you.

    1. Anonymous Coward
      Anonymous Coward

      Re: Silver lining

      Squishy things with her boyfriend on the sofa? That sounds more like Pant-ys-gawn than Pen-y-gors.

      1. Martin an gof Silver badge

        Re: Silver lining

        sounds more like Pant-ys-gawn than Pen-y-gors

        Or perhaps pen-y-goes?

        ;-)

        M.

    2. Alistair
      Joke

      Re: Silver lining

      @Pen-y-gors:

      "while doing squishy things with her boyfriend on the sofa"

      Much more likely those two will be doing powdery things on the sofa and vapey things on the back porch. 'Shrooms done gone outta style!

      And how dare you assume the babysitter's sexuality. That might be her girlfriend, despite the 'stache

  11. Anonymous Coward
    Anonymous Coward

    Seems like tech corps have declared war on consumers

    I don't buy that line that Joe Public doesn't care. I also think manufacturers have a responsibility, and if they can't live up to that, then welcome to regulation. But for Christ sake we've been seeing these kinds of massive privacy / security / IoT vulnerabilities for 5+ years now. Its headline news every day, yet still nothing? F'in politicians. WTF do they do with our taxes!

  12. The Dogs Meevonks Silver badge

    It's quite simple... ban the sale of any IoT device that does not meet minimum security standards*.

    As for me... the number of IoT devices I have at the moment is '0' the number of IoT devices I plan on purchasing at any point in the future... also '0'

    *Get actual security experts to determine what those minimum safe & secure standards should be.

  13. NanoMeter

    Insecam

    Expect it to appear on Insecam anytime.

  14. LenG

    More cat videos

    I think I'll set one up so I can see what my moggies are up to when I'm not around. Anyone else is free to watch!

  15. heyrick Silver badge

    This is hardly even newsworthy these days

    Got a cheap pan & tilt camera at a supermarket end of stock sale. Image quality was okay, IR was impressive, and it worked reasonably well (didn't even need an ActiveX plug in!).

    But one horribly fatal flaw. No, I don't mean the bit where the username and password are sent in every http GET request.

    No, it's worse than that.

    If you can make an http request without the initial '/' character (like a dozen lines of code), then you can request ANY file in the served directory COMPLETELY BYPASSING ALL SECURITY. The basic authentication is a bit rubbish, but omit the leading slash and you can walk right past it.

    So no big deal right? It's just the web pages and junk that makes up the UI right?

    Wrong. Try asking for "system.ini" (not "/system.ini") and you'll get back a binary file full of gibberish. Within that file, camera login names and passwords. Why stop there? WiFi AP name, MAC, password. Does the camera archive to an FTP server or send periodic messages to an email service? Guess what, names and passwords...

    I contacted the company (months ago), mcl samar, and received no reply. I then asked them about the source code to the GPL parts of the device (it's a cut down Linux on one of those MIPS WiFi modules) and guess what, no reply.

    The device info page has a current promotion on it, so either they aren't interested in supplying firmware updates, or they're still flogging this horrendously insecure piece of crap to people. http://www.mclsamar.com/ECOMMERCE_WEB/FR/PAGE_Produit.awp?P1=2936 (the more info link partway down the page gives lots of promo pictures, videos, etc - but no updated firmware!).

  16. sanmigueelbeer
    Facepalm

    That code contains a hardcoded four-digit root password

    "0000"?

    1. Dan 55 Silver badge

      Obligatory

      Hey, that's the code on my luggage!

  17. Anonymous Coward
    Anonymous Coward

    Psssst, hey kid

    Yes you.

    Can I interest you in some off-brand diapers?

    No?

    How about some rusks?

  18. Shadow Systems

    How to amuse yourself with IOShit.

    Back when I were a lad at school, my best friend was in the electronics course to become an electrician. He figured out that most car alarms worked on the same set of frequencies, so created a frequency cycling, low power broadcaster to try & activate said alarms. He then strapped the device to a small R/C plane & flew it over various shopping mall parking lots, strip mall parking lots, & residential areas with the device cycling away, triggering every alarm in the area that could hear it. The results were chaos galore for those whom heard their alarms go off, & a laugh a minute for my friend & I as we knew the cause of said chaos.

    Fast forward many years later to the age of wireless, in-home, not-yet-internet-connected baby monitors. Same idea as before with the frequency cycler, only this time it was set so it recorded which frequencies triggered where, so later review of the log files would show $Location $Frequency for his impish purposes. Go back the next day through the same area & a different R/C vehicle equipped with a RX/TX module tuned to that frequency, move it near enough to the location so it & the wireless unit inside could talk to each other, & start broadcasting porn soundtracks through the victim's wireless monitors. Cue the chaos, screaming, & laughter.

    Fast forward again to our era of IOShit devices. Now he just scans through the search engines designed to hunt for such unsecured devices, finds ones dealing with video, & MITM redirects them to various porn feeds of folks having sex for the audience. You have to imagine the chaos this causes & the screams it provokes, but the laughter he makes is rather impressive.

    So if you want to have fun with an IOShit device, simply use one of the search engines dedicated to finding such unsecured devices, grab a few feeds, & cross link them to random other destinations.

    You can laugh yourself silly as you imagine the looks on the faces as Joe or Jane Public goes to check up on their sprog, logs into their baby monitor feed, only to find it showing a pair of mating dogs in a different location.

    Note that I don't actually suggest doing this, it might be funny to you but horrendous to the victims, and you might cause folks to get harmed in the process... But if you DO decide to do something like this, please send a split screen feed of the owner, the intended target, & the actual target you've cross linked them to as a Youtube channel!

    =-)p

    Yes I do mean my friend, not myself. He was the electrician, I was the guy with all the R/C cars/helos/trucks/tanks. He supplied the electronic gizmos, I gave him the means to deploy them. =-)p

    1. heyrick Silver badge
      Alert

      Re: How to amuse yourself with IOShit.

      "grab a few feeds, & cross link them to random other destinations."

      My aforementioned MCLSamar IPcam - it comes with a DDNS service so that the app can find it by a name such as abc1234.something.com.

      Well, the password for setting the redirection is easily retrieved from the device (I can't remember if it was in the firmware or if I WireSharked it), and I used an unassigned alias to demonstrate that the password is good for all of them (would it have been too hard to base the password upon the alias in question?).

      It is slightly limited in that you can only set the IP address to the public IP of the client, but given you have a wide open door to the camera (so don't need to be using your IP if you can push a script or two onto another camera), it's more than enough to start trying to DDoS everybody...

      [no, I have not tried - some tests on my own camera on the LAN, and setting *one* alias to see if it worked...]

      Thing is, we find this amusing because of the lulz. How long until some organisation decides to use the same sort of things for far more malicious reasons? Smart meters anybody?

  19. Anonymous Coward
    Anonymous Coward

    what the ..

    Why is this even streaming over the net ?

    bloody well BE THERE WITH THEM and don't rely on shitty chinese technology to get you out of your parental or professional duties

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon