Are Hackers Spying on Your Baby?

Marc Gilbert was washing the dishes when he first heard a stranger's voice in his daughter's bedroom. As he and his wife approached the room, he heard the stranger telling his two-year-old to "wake up you little slut." But when he entered, there was noone there. Instead, the voice was coming from the camera-equipped baby monitor overlooking the infant's crib.

Gilbert's baby monitor was hacked in August 2013 and since then reports of unwanted intrusions through Internet-connected devices have proliferated. This month, an online search engine called Shodan, originally set up in 2009 to provide feeds from web-connected CCTV cameras and webcams, made it inadvertently possible for people to view sleeping children through vulnerable smart baby monitors.

In response to the issue, a U.S. consumer watchdog launched an investigation this week into four of the baby monitor companies that it believes are compromising the safety of children.

"Over the past few years, the hacking of baby monitors has become an increasingly disturbing problem," Julie Menin, head of the investigation at New York's Department of Consumer Affairs, tells Newsweek. "In one instance a couple in Indiana heard someone singing The Police's 'Every Breath You Take' to their baby and making sexual noises through the monitor."

[Related: How to Protect Baby Monitors from Hackers]

The sexual aspect of such hacks is of "incredible concern" to Menin and she hopes the investigation will force companies to be held accountable for potentially deceptive claims that the devices help to keep babies safe. Subpoenas were issued on Wednesday, January 27, to four "major" manufacturers, but the DCA wants to give them adequate time to respond before naming them.

Through the investigation, Menin also hopes to raise awareness among parents. She claims that a significant number of baby monitors may be lacking some of the most basic security features and could therefore be exposing babies to sites like Shodan and hackers like the one who took control of Gilbert's device. Smart baby monitors, which tend to feature a camera, microphone and speaker, pass live feeds through a user's wireless router and over the Internet in order to be viewed by parents remotely on a smartphone or other device. Without adequate security protections in place, hackers can use the camera and microphone to spy on babies and use the speaker to communicate with them.

The Shodan search engine is able to capture images from these baby monitors by using a bot to trawl the Internet looking for cameras that use something called the Real Time Streaming Protocol (RTSP). If no password authentication is in place for the RTSP device, the bot is able to access the feed and transmit the images to Shodan users.

"Shodan doesn't login to any devices and doesn't try to circumvent any authentication," Shodan founder John Matherly tells Newsweek. "All information is collected from publicly-accessible devices the same way that Google does."

But the problem is much bigger than a script used by a search engine. Security researchers agree with Menin that the main fault lies with the device manufacturers and the users being complacent about the potential threats.

"A webcam that has been configured to be public and open isn't really 'vulnerable,' it's just open and doing what it is supposed to do," Sean Sullivan, security advisor at F-Secure, tells Newsweek. "The webcam owner is possibly making an assumption that nobody would be scanning for such things on the Internet and thus they presume security through obscurity. But clearly, that's a very bad assumption."

Sullivan believes security is often an afterthought for the device manufacturers, a sentiment shared by Chris Boyd, an analyst at the security firm Malwarebytes.

"The problem here is that many Internet of Things devices ['smart' devices like fridges, TVs, baby monitors and light bulbs that connect to the Internet] are horribly broken security-wise because it costs money to ensure a reasonable standard of protection on a product," Boyd says. "The fault lies with the vulnerable products.

"Shodan is effectively just a search engine, and if we took it out of the equation completely, it would just be replaced by another method to pull up these images."

Several of the baby monitor manufacturers contacted by Newsweek, including Philips, did not respond to a request for comment. A spokesperson for France-based Withings said it took the privacy of their customer's data seriously. Both companies were identified in a 2015 report published by security firm Rapid 7, which found that nine different models of baby monitors from eight different brands were vulnerable to hackers.

[Related: Hacked Baby Monitors Highlight Perils of Internet of Things]

Many of the security weaknesses exposed by Rapid 7 are considered trivial by researchers, such as default passwords and a lack of encryption. The report found that any "reasonably competent attacker" could gain control of the baby monitors. In response to the report, Philips and other manufacturers advised customers to make sure their devices were up-to-date with the latest security advisories or fixes through the company's website.

The problem, Menin says, is that too few parents are aware that this is something they need to do when they buy a baby monitor. Her advice to parents is to buy a secure device, ensure that it is registered in order to be notified of security updates, and to use a strong password and change it regularly.

"We know this is a problem and unfortunately it's one that's not going away," Menin says. "We need to act and we need to act now."