Rapid7 on Wednesday released a report on an assortment of new vulnerabilities in baby monitors from several manufacturers: predictable information leaks; backdoor credentials; reflective, stored XSS; direct browsing; authentication bypass; and privilege escalation.
Backdoor credentials — the vulnerability most frequently found — showed up in five products from different manufacturers.
The Philips In.Sight B120/37 baby monitor had three vulnerabilities; the Summer Baby Zoom WiFi Monitor & Internet Viewing System had two; and two products from iBaby Labs had one vulnerability each. Lens Peek-a-View, Gynoii and Trendnet’s WiFi Baby Cam also had one each.
“Many of the issues would allow video and audio from the device to be viewed by an attacker, whether from a live stream or previously recorded clips,” said Mark Stanislav, senior security consultant for global services at Rapid7.
In Their Security Infancy
News that a hacker had breached a baby monitor in a Houston family’s home kicked off an uproar a couple of years ago — but things haven’t changed in the baby monitor industry.
What’s wrong with the baby monitor vendors?
“Vendors in the Internet of Things are still very much learning just how complex the devices and ecosystem really is to secure,” said Stanislav.
Also, many of the vendors in the baby market space are newer companies that leverage many third parties, he said, and firmware for the components in the devices is “often years old, contributing to the lack of security.”
It’s also possible that the engineers who built the applications tested were not well versed in secure coding practices, Stanislav suggested.
Money Trumps Security
The rush to tap into the boom in the IoT market also is responsible for the inadequate security offered by IoT device manufacturers.
The installed base of IoT units will grow at a 17.5 percent compound annual growth rate over the next few years, to total 28.1 billion in 2020, IDC predicted.
IoT revenues will surge from US$2.7 trillion this year to more than $7 trillion in 2020.
In the race to market and bring products to consumers, inattention to security is likely to be an issue, said Craig Spiezle, executive director of the Online Trust Alliance.
Blots on the IoT Security Landscape
Only 10 of the top 50 IoT device manufacturers passed a security audit by the OTA for its 2015 annual honor roll, Spiezle told TechNewsWorld.
Another 38 manufacturers, or 76 percent, failed, and the last two neither failed nor made the honor roll.
Device manufacturers “need to look at the risk and vulnerability and areas for abuse,” Spiezle said. Also, “they need to design in the ability to patch or remediate once the product leaves their factory.”
Security in IoT “is questionable for the whole life cycle, from cradle to grave,” said Steven Chen, CEO of PFP Cybersecurity.
“What if there’s a Trojan in the IoT device when it arrives from an overseas manufacturer? What if the suppliers or channels or an insider tampers with the IoT device before it’s shipped to the end user? What if the end user failed to implement proper security? The list goes on,” he told TechNewsWorld.
Things may change for the better — the OTA in August formed a working group to develop a framework of best practices for IoT device manufacturers and retailers.
That’s critical, because consumer IoT issues could “directly extend into business risk,” Rapid7’s Stanislav said. For instance, compromised devices could be used to spy on people in their offices.