As many as 52,000 baby monitors currently contain vulnerabilities that would allow a hacker to remotely intercept their video feeds, security researchers revealed Wednesday.
The first vulnerability, as detailed by researchers in a video demonstration, concerns the failure of miSafes to properly secure the communication channel between the Mi-Cam, its mobile apps and the company’s servers.
“[A]n attacker can access and interact (e.g. use the two-way audio function) with arbitrary video baby monitors by just modifying a single HTTP request,” the report states. “This allows an attacker to retrieve information about the supplied account and its connected video baby monitors. Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors for the supplied UID.”
SEC Consult also found that an attacker could easily obtain a user’s password by employing a bruteforce attack after a password reset request has been made.
“The password forget functionality sends a 6-digit validation key (valid for 30 minutes) to the supplied email address in order to set a new password,” the report states. “An attacker is able to bypass this protection with a brute-force attack and can easily take over any existing account.”
Upon investigating the device’s physical security, SEC Consult found similar problems. Issues with the Mi-Cam interface allow an attacker “to get hardware level access to the device” and “extract the firmware for further analysis.”
After accessing the firmware, the researchers discovered “very weak 4-digit default credentials” for the baby monitor’s root user account and numerous software components afflicted by publicly known vulnerabilities.
The final flaw allowed the email addresses of users to be leaked through an API call.
SEC Consult says it opted to warn consumers after repeated attempts to responsibly disclose the issues to miSafes since December 2017 went unanswered.
“From a security standpoint, it is not recommended to use those devices anymore until all security issues have been fixed and a thorough security audit has been performed,” the report concludes.