#1 By: Rob Beschizza, August 14th, 2013 10:51
#2 By: fuzzyfuzzyfungus, August 14th, 2013 10:59
For what it's worth, Team BBC says that the camera involved was a Foscam product. Looking at their product lineup strongly suggests that this was an IP cam, presumably hit through some horrifyingly trivial failure of implementation, rather than one of the old-school 900MHz or 2.4GHz analog video blaster systems (which are even worse; but at least only accessible within RF range, rather than anywhere).
Unfortunately, the security of embedded computers is generally pretty appalling, and 'security' cameras have the handy feature of being pointed at things people value...
#3 By: buddy bradley, August 14th, 2013 11:15
Geez, poor kid!
This reminds me of a story in Ghost in the Wire when Kevin Mitnick and his high school buddies hacked into the drive-through intercom at McDonald's and hurled abuse at drivers just trying to place their orders...
#4 By: Enkidu, August 14th, 2013 11:38
Oh good, I have that IP cam. Unless the parents in the story failed to secure it with a password (or something equally basic), I suppose I'm at risk as well. Time to check that firmware version...
EDIT: and yeah, the latest firmware includes:
- Enhance security to prompt user change the default blank login password
- Fix several vulnerabilities to improve security
I imagine most parents who buy such a device would have no idea what "firmware" is.
#5 By: greggman, August 14th, 2013 11:41
It doesn't seem to me the camera should have to be secure any more than a diamond ring should prevent itself from being stolen. The person using the camera should be responsible for securing it same as they're responsible for securing their jewelery. All an IP camera does is run a webserver for you to download/control the camera. It's up to you put make sure it's not accessible from outside your local network.
If it somehow punched a hole through your router/firewall maybe that would be cause to hold the company responsible. Otherwise no.
BTW: As an aside, every app you download to your phone/tablet can potentially see everything on every network you connect it to. I'd suggest running OpenWRT or some other router that lets you run multiple wireless networks. Put your phone / tablet on one network and your PC on another (not without its headaches but...)
#6 By: TheMetalPedant, August 14th, 2013 11:48
I like that this post is just downstream from Cory's review of the minimalist parenting book. If I felt the need to take an occasional peek in on my kids, I think I'd use the wired network that connects my eyes to my visual cortex.
#7 By: Enkidu, August 14th, 2013 11:58
Of course, one of the most useful things about an IP cam is being able to access it over the internet. That's problematic if one's really using it as a "baby monitor", I suppose (I'm not), but in any case any device exposed to the internet needs to be secured and regularly updated.
If I weren't lazy, I'd probably set up a home VPN rather than just punching a hole in the firewall; but it really would be nice to know more about the attack vector used in this case.
#8 By: Eris De Suzerain, August 14th, 2013 12:15
Fairly reliable the ol' eye sockets are, and they require minimal configuration.
#9 By: greggman, August 14th, 2013 12:41
Sorry I'm going to get geeky here but ...
SSH is your friend. (or VPN). You put the camera on your local net and don't make it accessible from the internet directly. You setup an SSH server. Some routers can do this otherwise you need a PC always running Win/OSX/Linux. You set up dynamic dns. Most routers can do this. You then SSH tunnel into your local network to the IP camera. Too much to go into here. Maybe someone should ask this question on a stackexchange site?
Clearly there's a market for a less geeky solution (although as a geek I have a problem trusting non-open source networking stuff).
#10 By: matthjones, August 14th, 2013 12:46
The weakness in the camera allows you to just hit a URL and get the mjpeg feed. No authorisation required! There is some more info here: http://atenlabs.com/blog/get-your-creep-on/ and a real life implementation at http://www.atenlabs.com/camwar/.
This is a variation on the 'people leaving random crap open on the internet' thing.
#11 By: Jen Hamilton, August 14th, 2013 12:52
It is an IP Foscam, I have the same. The easiest software solutions for the camera were horribly insecure. I was able to put something together that was more secure, but the thing crapped out after 3 months, so it's no longer an issue.
#12 By: Jen Hamilton, August 14th, 2013 12:57
Just replied as new topic (over to the top right of original comment), if you want to carry on the discussion.
#13 By: Chris_Palmer, August 14th, 2013 14:24
Am I going to hell if I thought this was funny?
#14 By: Michael Smith, August 14th, 2013 17:12
Our old analogue baby monitor was picking up crying babies elsewhere along the street at one point. It occured to me that you could write a great horror story around that with disturbed people spying on their neighbours kids bedrooms.
#15 By: fuzzyfuzzyfungus, August 14th, 2013 17:17
Here is a tragifarce with an angry and ignorant baby-monitor user facing off against a frustrated HAM radio enthusiast who wants their cheap, nasty, RF-spewing garbage off his licensed band...
No apparent malice on the eavesdropper's part; but apparently the quality control on cheap baby monitors is...not everything it might be...
#16 By: WolfgangSchlte1, August 15th, 2013 01:08
at least most parents are aware their babies beeing very "wetware".
#17 By: Beanolini, August 15th, 2013 04:57
I prefer to think that it's picking up the ghosts of murdered babies.
#18 By: Adam, August 15th, 2013 05:10
I think that's a bug in a different model of camera.
The Foscam hack is based on a directory traversal bug (see here) which dumps the system memory, then you can extract the username/password from the dump.
#19 By: Daniel Johnson, August 15th, 2013 09:32
#20 By: Jeff Atwood, August 15th, 2013 20:11
Someone needs to tell this guy about "the Internet". I seriously do not get HAM radio enthusiasts post 2003 or so.
next page →