A big focus this week has been 'Internet of Things'. Yesterday, I posted a story about a security researcher who discovered a vulnerability in the Phillips-made Hue LED lighting system. In other words, he figured out a way to hack lights. The conclusion was that if a hacker was to exploit this vulnerability, the consequences could be quite serious, especially if he/she was to cut off the lights at a place like a hospital, police station, etc.
Today, TechHive posted a story about a smaller-scale, albeit very serious hack on another everyday item-a baby monitor. And unlike the lighting system hack, which gives the company time to patch the vulnerability before it's exploited (thanks to the researcher), the baby monitor hack actually happened, pinning a Texas couple and their toddler in the center of a terrifying experience. A man used the internet to break into a Foscam-made camera in the baby's room and proceeded to terrorize the family by shouting expletives at the sleeping two-year-old through the baby monitor. The couple heard his creepy voice upon entering the kitchen. When they rushed to the room, he turned the insults to them.
While the family had to deal with the fearful experience first-hand, this story also brings out a scary reality. This isn't a new vulnerability...
"How the man broke into the device through the internet is not known, but vulnerabilites in wireless IP cameras manufactured under the Foscam brand are well known."
In fact, researchers from security firm Qualys reported that they could easily use the Shodan search engine to find the internet-connected cameras and then proceed with the not-too-difficult task of breaking into them. Their report was in April...
"Among the serious security lapses they found was allowing users to login with the default 'admin' user name and no password, PCWorld reported. (This flaw was found in roughly 20 percent of the cameras studied)."
A major part of the problem lies in the fact that while Foscam is fairly fast at rolling out updates to patch the vulnerabilities, they don't have an effective way to get those patches out to customers, in the form of auto updates or alert mechanisms, for example.
Again, while many people may find it cool to be able to connect everyday items to the internet, the world isn't ready, at least from a security standpoint, for the 'Internet of Things.' This story should serve as a good reminder why, and hopefully force consumer electronic companies to make security a higher priority on their lists.
Home sensors need to be on their own physical network or VLAN. I used to have a wireless camera at home but I've retired it until I setup a VLAN with the only way in/out through SMTP or VPN. This is despite my existing network security - I don't even trust the traffic on my own home LAN when it comes to a camera monitoring my life.
Never ever trust embedded products, especially embedded consumer grade products. They have absolutely no reason to care about security.
Important: Always unplug your webcam when not using it, and for laptops always disable the webcam and microphone in the BIOS and disable it in Device Manager.
I don't mess around with sensors. Unfortunately, my cell phone is my only blind spot. If I was going against a government I would use a custom Android ROM, but being more concerned with consumer-level threats I stick with an iPhone.
Business Products Sr. Community Leader and Expert Advisor - WSA-Enterprise administrator over 2000 clients
First company to 1000+ WSA endpoints | Power User / Business Ambassador / WSA-C and WSA-E Beta tester
Find me on Twitter!