How to secure your baby monitor

library
crime | hacking | security

Two more nurseries have been invaded, with strangers apparently spying on parents and their babies via their baby monitors.

This is nuts. We’re hearing more and more about these kinds of crimes, but there’s nothing commonplace about the level of fear they’re causing as families’ privacy is invaded. It’s time we put some tools into parents’ hands to help.

First, the latest creep-out cyber nursery tales. Read on to the bottom for ways to help keep strangers out of your family’s business.

Baby monitor intrusion #1

A US mom in the state of Washington told KIRO TV that her son had been telling his parents for months that he was scared of the voices coming into his bedroom:

For months, my son was telling his family that the ‘telephone’ was telling him to stay in bed.

This past weekend, the mother heard those voices herself. While her son was napping, she heard a woman’s voice coming from the webcam in her son’s room.

At first, she thought the voices were coming from people outside the house.

But when she walked into the room, she said she heard another woman’s voice. This time, the voice said “Oh, watch this one, she’s coming in again.”

That’s when she saw the camera move in her direction.

The couple say they also heard a man’s voice saying, “Wake up, little boy, daddy’s coming for you,” while the camera followed the parents around the room.

The family, whose names were withheld for security purposes, had been using a wireless Foscam IP camera as a baby monitor.

As KIRO 7 reporter Kevin McCarty tells it, when the family called Foscam, they were told that

…It was possible that someone somewhere hacked into the system and were controlling it with a laptop or a smartphone app, but there was no way of knowing who that was or whether they were living nearby or on the other side of the country.

“Possible” that someone hacked into the system? “Undoubtedly” sounds like a better word choice, given a webcam swiveling about without its owners’ input and strangers’ voices coming through.

At any rate, determining whether or not the monitor had been taken over by e-marauders shouldn’t have been all that hard – all you have to do is check the logs to see what IP addresses have been accessing it, besides that of the parents.

That’s what a family did earlier this month after hearing creepy music coming from its Foscam baby monitor.

Indeed, at the time, Foscam told Computerworld that its cameras have “embedded logs which allow you to see exactly which IP addresses are accessing the camera”:

You will be able to tell if an outsider has gained access to your camera.

That couple, from Minnesota, looked up the IP address of the intruder and discovered that the music was actually emanating from overseas – Amsterdam, in fact.

They followed the IP address to a site with thousands of streams coming from cameras just like theirs, from at least 15 countries.

A similar site was found in November.

The site, Insecam.com, claimed to tap into the direct feeds of hundreds of thousands of private cameras secured with default passwords from 152 countries, allowing strangers to spy on people via security webcams delivering live feeds from bedrooms, offices, shops, restaurants, bars, swimming pools and gymnasiums.

These and other tales have motivated Foscam to do away with default passwords. The cameras it manufactures now, and for at least the past year, force users to change default passwords.

The Washington couple said that they did have a password and a username on the baby monitor but “someone got in anyway.”

At any rate, Foscam is far from the only webcam to be exploited by voyeurs. The second recent case of webcam takeover involves a Summer Infant brand wireless IP camera used as a baby monitor by a US mother in Kansas.

Baby monitor intrusion #2

The mom, Megan Klaassen, told KWCH 12 that she had a password on the baby monitor.

But she lives out in the country, and said her home Wi-Fi network was wide open.

After being followed around by her camera when putting her 3-month-old son down for a nap, “every single hair” on her body stood on end, she said.

I was freaked out like very, very scary actually. I knew someone was watching me. I yelled into the camera and I was like, ‘quit watching me’ but I didn’t know what to do. I was just so scared and so shocked that this is actually happening to me.

Klaasen turned off the camera, returned it to the store to swap it for one without wireless capabilities, and says she’s learned a valuable lesson about securing her Wi-Fi network:

I want all the moms out there to know that you’re not technically safe just because you either live in the country or you don’t have any neighbors. I want them to know to put passwords on these things and monitor whether someone is accessing them or not.

Well said. But with so many of these webcam hijacking stories in the news nowadays, it seems clear that people could use some help beyond the simple admonition to “put a password on your camera.”

While that’s a great suggestion, there’re more to it than that, obviously: after all, both of these families DID have passwords on their monitors.

And as the Kansas cyber intrusion makes clear, often there’s more than one password involved, as well.

Too many families are being unnerved by these privacy intrusions.

We want to help. To that end, Naked Security’s Paul Ducklin has come up with some security recommendations to consider.

If you feel like you’re out of your depth, he says, by all means, get an IT-savvy friend to help.

How to keep Peeping Toms out of the nursery

1. You probably configure your Wi-Fi router via your browser. You want to set it up so that the configuration screens can only be accessed from your side of the network, either by plugging into one of the LAN (local-area network) ports on the back, or via Wi-Fi.

Some routers allow you to open things up so you can access the configuration screens from the WAN (wide-area) side, which means anyone on the internet who can hack or guess the administration password can mess with your settings.

There’s no standard name for this feature, and no standard configuration option to block it. But look for an option along the lines of “remote administration,” “remote management” or “setup via WAN,” and ensure it’s turned off.

2. The configuration screens on your router should be protected by a username and password that you have to enter either when you open one of the screens, or when you try to change something.

The username doesn’t matter too much (it is often “admin” or something similar), but the password is important. If you choose an easy password, anyone who gets onto your network can mess with your settings, whether deliberately or by accident.

Pick a proper password! Here’s how.

3. Your Wi-Fi setup needs a proper password as well, so that you can control who can connect in the first place.

There are three main Wi-Fi security levels: Open (no password), WEP and WPA2. (Older routers may offer WPA as well. That’s similar to WPA2, but if you have WPA2 on offer, choose that instead.)

Don’t use “Open,” or else anyone can connect, even a stranger walking past your house.

And don’t use WEP. It sounds secure, but there’s a bug in how it deals with encryption. Crooks can easily crack a WEP password in a minute or so. This bug can’t be fixed (it’s due to the algorithm used), so some newer routers don’t support WEP. But most routers do, so watch out.

Never use WEP. It gives a false sense of security.

Check out our video if you want to see Sophos bust wireless security myths.

4. Your router vendor probably publishes security updates every so often to patch software bugs that could help a crook break into your network.

Just as you apply Windows updates for security (you do, don’t you?), or OS X updates on your Mac, you need to keep up-to-date on your router.

Go to your vendor’s website and search for support articles relating to security updates. The operating system software for a router is usually called the “firmware.” You may find a dedicated download page for the latest firmware.

You will need to download the right firmware for your model number; you will probably find the model designation on a sticker somewhere on the router.

5. Your webcam may have a password, as well.

If your webcam does support a password, use it. Don’t leave it blank, and don’t leave it set to the default value, which crooks probably know already.

If you aren’t sure how to set the password, try the vendor’s support forums.

And, as always, pick a proper password.

→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.