Calling all geeks, security freaks and privacy connoisseurs…at some point in your life, someone helped you. Will you please pay that forward? You surely know someone with a baby, and these days that implies the parent has some kind of baby monitor. Will you please pay forward the help you received by asking a baby’s parents if their baby monitor is an IP camera, and if it is…then ask them if they have changed the default password and locked it down?
Relax as that doesn’t mean you volunteered to be free 24/7 tech support, but yet another hacker has struck via a wireless Foscam IP camera/baby monitor. Whether it’s one pervert who continues to hack into baby cams, or many hijackers, it’s the kind of news that gets me worked up because there is absolutely no need for it to happen at all. And this is third time.
This time a hacker used the Foscam security camera to talk to Ashley Stanley, the nanny of a one-year-old girl named Samantha. She heard talking coming from the security camera, a man saying, "Oh, that's a beautiful baby.”
Stanley told KHOU, "I thought it was her mom and dad playing a joke on me." She wondered, "Is there like a toy on or something cause that is creeping me out!" But when the man commented, "That’s a really poopy diaper," she panicked and unplugged the camera. She then called Samantha’s parents and found out it wasn’t them and it’s wasn’t a joke.
This is the third time the same type of baby cam hacker story hit the news. In 2013, some jerk hacked a Foscam wireless IP camera that was being used as baby monitor so he could spy on and hurl curse words at a two-year-old girl. That time, like this one, the man virtually broke into the Houston family’s home. Another creep hacked another Foscam IP camera/baby monitor in 2014, screaming at a 10-month-old girl in Ohio before screaming obscenities at her dad.
“Updating firmware is extremely important, especially if the devices in question are more than six months old,” Foscam said after the first time a baby cam hacker struck. The camera “was a three-year-old model and needed a firmware update.” The company added that “being hacked is not exclusive to Foscam. All devices connected to the Internet run the risk of being hacked.” Foscam has "tips" for security its cameras.
Yet the reality that IoT devices can be hacked seems like science fiction to many people. For example, Stanley told KHOU, “I was really freaked out like maybe someone hacked into the camera.” She suggested, “You should probably password protect your camera.” Probably? Yikes!
The hacker got in via the family’s password-protected Wi-Fi and the camera had zero security. The baby’s parent admitted the Foscam camera was “not password-protected even though the Wi-Fi network it’s attached to is.” They and the nanny thought the security camera was set up to only allow viewing via a mobile app when the phone was also on the network. They had a relative who worked in IT and has since walked them through a secure setup.
"The biggest thing consumers can do is make sure that they change the default password and username," advised Foscam USA COO Chase Rhymes.
At CES 2015, when the FTC chairwoman warned of privacy threats from IoT device data, she suggested that companies should make devices with smart defaults to ensure consumers change default passwords when setting up devices. Clearly that needs to happen, but according to Rhymes, any Foscam camera manufactured in the last year forces users to change the default “security” settings. If the camera is older than a year, then the camera needs a firmware upgrade.
Lt. Gary Spurger of the Harris County Texas Precinct 4 Constables Office, a member of the High Tech Crimes Unit who also teaches a Cybercrime Investigators Certification course, said, “The take-away is follow the manual's instructions on how to set up the password for your camera. Make sure you have the latest and greatest firmware on the camera. The manufacturer of the camera will tell you how to do that."
Of course it seems tragic and terrifying to parents who learn about security the hard way, after someone has made it abundantly clear that the camera had been hijacked, but what if that hacker wasn’t on the other side of the world or even hundreds of miles away?
What’s most alarming, Spurger says, is that the hacker may have been close, anywhere from 300 to 500 feet from the home. “Obviously your child is the number one thing you want to protect and just the thought that somebody is watching her, potentially even when she is sleeping.”
After hearing a virtual intruder’s voice via a baby cam, not everyone would go running to the local news station to report being a victim; this type of intrusion could have happened many times in past. After all, “insecurecam” had links to 73,000 unsecured security cameras that used default username and passwords; cameras that allowed anyone to spy on the people on the other end. As the nanny suggested after the latest publicized Foscam baby cam hack, “What pervert has been watching and not said anything? That is the kind of person that I am afraid of. Like who has been watching silently.”
If you don’t want your wireless security camera hijacked, then not only change the default password, but also make it super strong! Use a phrase, or better yet, use a phrase to help you recall a password that’s not found in a dictionary. Here’s a silly example that uses lower and upper case letters, characters and numbers: “For eyes and ears at home because I love my precious little one” could be a password written as 4iz&e@HbiLmPl1. Don’t use that one, but a secure password could be something you can remember that looks like random gibberish.
Non-techies may not be aware that IoT devices need firmware updates; exhausted new parents may not be thinking clearly when they setup a wireless IP security camera to use as a baby monitor. Will you please ask at least one baby’s parent if they’ve locked down the camera so no virtual peeping Toms can secretly watch them through it? If we all ask someone, then maybe we can prevent a baby cam hacker from striking for a fourth time.