A baby monitor that has more than 52,000 users has reportedly been deemed vulnerable to hacks — and a cybersecurity company is warning parents to stop using the device. The baby monitor in question is the Mi-Cam, produced by the Chinese vendor miSafes. Here's everything you need to know about this baby monitor cybersecurity warning, as well as how you can prevent your baby monitor from being hacked.
As reported by Forbes, Austrian cybersecurity company SEC Consult published a warning on Wednesday detailing the issue. "The miSafes Mi-Cam device is vulnerable against multiple critical vulnerabilities which includes unauthenticated access and hijacking of arbitrary video baby monitors," SEC Consult warned. The cybersecurity company reportedly reached out to miSafes multiple times in the last few months but allegedly did not receive any responses, according to Forbes.
CES Security's Senior Security Consultant Johannes Greil sent Romper the following statement:
We have tried to contact miSafes since beginning of December 2017 but were unsuccessful (they never replied). We also tried to contact the Chinese CNCERT for coordination support but could not reach them as well. Then we contacted US-based CERT/CC who did not want to coordinate this issue, hence we published our research (without too many details) in order to make consumers aware of the critical security issues.
The Mi-Cam works by connecting to wi-fi, allowing parents and caregivers to watch live video of their baby from their smartphone. Even though that feature is certainly convenient, this new reports suggests that it comes with a risk. MiSafes did not immediately responded to Romper's request for comment.
SEC Consult's post explained multiple specific security issues with the Mi-Cam. Firstly, the baby monitor reportedly has a broken session management, allowing a hacker to access information and watch the live footage.
Additionally, the forgot password option has some flaws, according to SEC Consult. The company warns that users can request a six-digit validation code if they've forgotten their password, and they can request multiple validation codes at a time. All validation codes continue to work for 30 minutes, even after a new one has been requested. This allows hackers to use brute-force (tedious computer-generated trial and error that is guaranteed to work, according to TechTarget) to take over any account that has clicked forgot password. Plus, when a user tries to reset their password, the system provides some details about the account, giving hackers even more information.
Additionally, the baby monitor was determined to include some software that is outdated and publicly known to be vulnerable. The default credentials are also fairly weak, using only a four-digit login.
Basically, the Mi-Cams are functioning fine, but they are vulnerable to being hacked. For that reason, SEC Consult advises Mi-Cam customers to shut down and put away their devices until the issues have all been resolved. "SEC Consult recommends not to use this device until a thorough security review has been performed by security professionals and all identified issues have been resolved!" reads the warning. "Although cloud-connected hardware may have an advantage regarding usability and convenience for users, if security is lacking those products pose a great risk for all customers."
SEC Consult also shared a video of someone successfully hacking into a Mi-Cam as an experiment.
SEC Consult adds that there are other similar baby monitors on the market that look like they may suffer from the same security problems, including the Qihoo 360 Smart Home Camera. Romper reached out to Qihoo 360 for comment but did not hear back. Not to mention, many experts have explored the issue of whether or not wi-fi baby monitors are safe.
In early 2016, Department of Consumer Affairs (DCA) announced an investigation of four baby monitor manufacturers in response to endless reports of hacking, according to Newsweek. The outlet spoke with Julie Menin, who led the investigation for the DCA. The department advised parents to research baby monitors before making a purchase to make sure the one you get seems secure; to use a strong password and change it every once in a while; to refrain from including personal information (name, apartment number, etc.) in your wi-fi network; to stay abreast of software updates; and to turn devices off when not in use.
So if you have a wi-fi baby monitor, that doesn't mean you need to worry. Just make sure to take the extra precautions listed above to keep your baby monitor — and your home — free of hackers.
Update: This story has been updated with a comment from Johannes Greil of SEC Consult.