You might want to hold off copping this baby monitor to keep an eye out on your newly born — unless you’re fine with unknowingly streaming your toddler to total strangers on the internet.
A severe vulnerability in iBaby Monitor M6S allowed hackers to snatch any saved pics or footage, access a live feed of the camera, and even glean your personal information, an investigation by PCMag and Bitdefender has found. The worst part? Anybody with an M6S and the necessary network skills can breach cloud-stored content by every other device of the same type.
Each time your baby moves, the monitor records footage and uploads it to the cloud before forwarding it to you. This data is protected with a secret key and access ID key, but the setup is a lot less secure than it sounds. The keys don’t simply give the monitor access to your own data, but to everyone else’s too.
The flaws don’t end there, though. “Using what’s called an Indirect Object Reference (IDOR), an attacker can extract some personal details about the parent who installed it,” PCMag writes. “These include the email address, name, location, and even profile picture.”
Bitdefender initially tipped off iBaby to the kink last May, but the baby monitor maker never even bothered to respond — even well after the standard 90-day disclosure period the researchers granted to the company. This means the vulnerability remains exploitable.
Despite optimistic promises of a convenient and secure future of IoT, researchers have been finding shortcomings in baby monitors for years. In 2016, an investigation by the New York Department of Consumer Affairs found that four out of the five baby monitors it analyzed were prone to breaches.
Those interested in a more technical breakdown of the issue can consult with Bitdefender’s white paper here.
Update 12:15PM, March 6: iBaby has since fixed the vulnerability.
In a statement, the company said that although hackers could have abused the bugs to glean users’ data, there’s nothing to suggest this had occurred.
Did you know we have a newsletter all about consumer tech? It’s called Plugged In – and you can subscribe to it right here.
Published February 27, 2020 — 14:59 UTC