Baby monitor flaw lets strangers spy on your kids: What to do [Updated]

iBaby Monitor M6T
The iBaby Monitor M6T, very similar to the model that seems to have several serious flaws. (Image credit: iBaby)

UPDATE: iBaby Labs reached out to Tom's Guide on March 2 to say it is working on fixing these problems and to direct us to its blog posts. More below. This story was originally published Feb. 26, 2020.

A popular video baby monitor has several serious security flaws that could let attackers view footage of your kids, steal your personal information and even take control of your baby monitor. But it's not clear if the manufacturer will fix the vulnerabilities.

Researchers at Bitdefender took a look at the iBaby Monitor M6S at the request of PC Magazine and found that while the device used strong encryption standards, the encryption itself was very poorly implemented, with potentially disastrous results. 

If you have the iBaby Monitor M6S, you may want to consider not using it until iBaby Labs fixes these issues. Three other iBaby video-monitor models are very similar to the M6S, and it's possible that those models have the same flaws too.

The Bitdefender researchers found that some crucial encryption keys were based on device IDs and could be easily deduced. A network ID used to log into the cloud server was transmitted insecurely and could be intercepted, making it fairly simple for a stranger to get access to videos of babies uploaded to the device maker's cloud servers. 

Other IDs generated from the device ID could be used to upload alerts from the baby monitor to the cloud server, but could also be used to browse alert footage from strangers' cameras. 

Commands could be sent to the cloud server to return the device user's name, gender, birth date and email address, revealing vital personal information to the attacker. 

And the baby-monitor setup process briefly caused the home Wi-Fi network's access password to be transmitted in the clear, meaning that anyone snooping within reception range could grab that password.

Who's monitoring the monitors?

Bitdefender said it tried to contact the baby monitor's maker, iBaby Labs, twice in May 2019 to notify the company of the flaws. As of yesterday (Feb. 25), Bitdefender said it had received no replies.

We've reached out to iBaby Labs as well and will update this story when we receive a response.

Bitdefender looked specifically at the M6S model, but three other models seem to be nearly identical to the M6S. The iBaby Monitor M6T, one of our top choices, offers 720p video resolution instead of the M6S' 1080p video. 

Both of those older models have been deprecated in favor of two new models. The iBaby Monitor M7 adds a projection of the moon and stars onto the ceiling of a baby's room, and the iBaby Monitor M7 Lite moves the device's speaker to the top of the unit. Otherwise, they are both very similar to the M6S.

Update: iBaby Labs responds

The baby-monitor manufacturer, iBaby Labs, responded with blog posts after this and similar reports were published.

"It has come to our attention that certain online articles (published Feb. 26-27th, 2020) regarding the vulnerabilities of our iBaby M6S have caused concerns," said the initial posting, dated Feb. 27. 

"We want to reassure you that the security of our customers' database is and has always been our utmost #1 priority. ... However, we are quickly researching these reports and verifying the validity of the claims."

On Feb. 29, that post was updated to add information about what iBaby Labs was doing to fix the issues.

"We have immediately deactivated the potentially compromised AWS [Amazon Web Services] authentication information," stated iBaby Labs. "In addition, we've taken a few measures to tighten the security such as limited [sic] the cloud storage access."

"So far, no hackings [sic] have been spotted and no critical information regarding your account was affected (username, password)," it added. "Since there was no breach of data, your iBaby account has been secure and protected. However, as a security measure, you should periodically change your password and delete inactive invited users."

"Soon we will also release a firmware update to be pushed out to your device," the posting said. "Once it's available, you will receive a notification. This will further enhance data security."

We've reached out again to iBaby Labs to ask if more models are affected, and when the company learned of these flaws. We'll update this story again when we receive a response.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.