S.C. Mom Says Baby Monitor Was Hacked; Experts Say Many Devices Are Vulnerable
When Jamie Summitt woke up one Wednesday morning and saw the baby video monitor pointed right at her, she wasn't worried.
Yes, it had moved since the South Carolina stay-at-home mom fell asleep. But she assumed it was her husband, Kevin, checking in on her from work using the smartphone app that controls the camera.
That night, as the family ate dinner and the baby slept, her smartphone alerted her that the camera was being moved again.
"I looked over on my phone and saw that it was slowly panning over across the room to where our bed was and stopped," Summitt tells NPR. It was pointing to the spot where she breastfed her son, Noah, several times a day. The camera paused on the empty bed, then moved back to the bassinet.
This time, everyone who uses the app was together — and they weren't controlling the device. In fact, Kevin said he hadn't touched the app all day, which made Jamie remember the incident that morning with unease.
"Honestly, we were naive," Summitt says. "The first thing I thought ... was our app was haunted."
But soon they realized the far more likely explanation — that either the program or the device had been hacked.
The family unplugged the monitor immediately. Summitt says after a police officer set it back up to test it, they found she was locked out of her own account, which seemed to confirm that suspicion. Summitt posted on Facebook to warn other parents about the risk.
"I am supposed to be my [son's] protector and have failed miserably," she wrote. "I honestly don't ever want to go back into my own bedroom."
In 2015, the security analytics company Rapid7 published a case study of baby monitors that found a number of security vulnerabilities. The risk is not just to privacy and peace of mind: A hacker could use a baby monitor to gain access to a home's network to get information off computers, possibly for financial gain.
Tod Beardsley, Rapid7's director of research, worked on that study. He says they didn't look at the Summitts' baby monitor brand specifically, but they examined a number of products.
"We found that there were, pretty much across the board, some pretty easy-to-exploit vulnerabilities — things that have been already solved in mainstream computing," he says, and don't show up often in modern laptops or smartphones.
Baby monitors might, for instance, reset to factory defaults without warning users, Beardsley says, or allow for authentication to be bypassed. Basically, they're missing safeguards that are built into most modern computers.
"Hackers that I know and hang out with refer to Internet of things hacking as 'hacking on easy mode,' or 'hacking like it's 1998,' " Beardsley says.
Even a user like Jamie Summitt — who changed the password to a unique password she didn't use anywhere else — could be vulnerable.
"It sounds like she did all the right things," Beardsley says.
A family doesn't have to be targeted specifically to have a stranger peering inside its house, at least briefly, he says. There are people who sweep the Internet looking for unsecured cameras, like cameras that still use the factory setting username and password, just to see what's on them.
That said, he notes that most hackers are not sitting around watching babies sleep — "It's not super high-value," as he puts it. They're more likely to target the computer inside the camera, or the network it's on. But he knows that's not much comfort for people who find themselves watched by a prurient hacker.
Summitt, for her part, has been frustrated by the number of people who say she should have known about the risks.
"I would have never, ever bought something if I thought it was this easy of a security risk," she told NPR. "When I was making my baby registry, nobody warned me — no other mom said anything. It's not common knowledge."
After the unnerving incident, a police officer visited their house, she says, but she didn't file a report. (The North Charleston Police Department says it can't confirm the details of their conversation without a report.) She has attempted to contact the manufacturer, FREDI, with no luck. (The company has not responded to NPR's request for comment either.)
As for what's next? Summitt is not getting a new baby monitor. She's gone old-fashioned — she's leaving the bedroom door cracked open.
Beardsley suggests that parents who want a baby monitor opt for less sophisticated versions that don't connect to the Internet and use radio technology instead.
If you absolutely want one that can be used over the Internet, he recommends looking for a product with a good track record of fixing security problems. (Paradoxically, he wouldn't recommend products that have never hada reported problem — they've never been tested, he says.) He recommends Nest as one option. And always, always change the username and password from the factory setting, he says.
Beardsley also says it is disheartening that years after his company's report, baby monitors that appear to have easily fixed vulnerabilities are still on the market.
"The fact that there are still no standards around this is a little depressing," he says. "It will keep hackers in business for a long time."
Copyright 2020 NPR. To see more, visit https://www.npr.org.