We really, really need to stop buying cheap security cameras. The latest chapter of this ongoing saga is a case in point.
Credit: Billion Photos/Shutterstock
You may remember that a few weeks ago, South Carolina mother Jamie Summitt discovered what she believed to be a hacker spying on her and her infant, using her $34 FREDI wireless baby monitor.
In a new report, information-security firm SEC Consult details a vulnerability the snoop might have exploited. If SEC Consult is right, many other baby monitors, security cameras and webcams made by the same manufacturer (hint: it isn't FREDI) might be vulnerable to the same attack.
To protect yourself, you should always change the password to one of these devices, as soon as it comes out of the box. If there's no password, or you can't change the password, throw it out and buy something better.
Summitt's FREDI baby monitor, like many inexpensive consumer surveillance products, uses a cloud-based remote-control system (known as a "P2P cloud feature") to transmit data between a device and its user.
FREDI is just of many brand names slapped onto the devices. Other brands include HiKam, Sricam, HKVStar and Digoo, according to research presented in November by Security Research Labs in Germany.
SEC Consult says the actual manufacturer is a company called Shenzen Gwelltimes Technology Co. Ltd., and that all the cameras instruct the buyers to use the Yoosee smartphone app (for both Android and iOS) to access the camera feeds. Security Research Labs was able to gather evidence of nearly a million vulnerable devices online, probably just a fraction of the actual number.
In essence, all the data that one of these cameras collects is stored on the manufacturer's cloud server, and travels from the camera to the server and then back down to the user's smartphone. This means that a crook doesn't need to be plugged into your private network to spy on you. If someone can intercept your connection, from anywhere in the world, they can access all your camera's data.
Credit: SEC Consult
How does the attacker intercept your connection? Many of the models in question have device-specific ID numbers, but share a common default password that's not at all secure. (As you can see from the photo above, the password to one model was literally "123.") The idea is that owners can connect their device to the app on their phone by entering the ID number and password.
You can probably see where this is going: If suspicious figures have the shared device password, they can try different device-ID combinations until they've connected an unknowing stranger's camera to their phone.
But that's not all. Gwelltimes devices also have sequential IDs, so once a hacker finds the ID number of one device on the internet, it's much easier to find the next device ID.
So what can you do? If you own a device like this -- and if you're using the YooSee app, then you probably do -- then you should always change its default password to something strong. That said, this may not always be enough: Summitt told ABC News that she changed her monitor's password when she first received it, and some devices have weak protections that allow hackers to bypass passwords.
The most reliable way to keep snoops out is to stop buying cheap security devices. Cameras like Netgear's $200 Arlo Baby are expensive, but they come with software frequently updated to address vulnerabilities, and apps that are harder to crack.