Your baby monitor is an Internet-connected spycam vulnerable to voyeurs and crooks


#1

[Read the post]


A WiFi camera that makes home and office security a bargain
#2

Securi…what?


#3

I have been looking for a “Puppy cam” solution but the ones I’ve researched or tried in the past all suffered from one of two problems: a not mobile-capable and generally unusable UI or they were very expensive (think $599 at Costco or Best Buy for six cameras and… probably a shitty UI).

My current solution has been a webcam connected to a desktop/laptop that is set to not go to sleep. I leave Skype on and set it to auto-answer video calls from confirmed contacts (of which there was only one, me on another account). Next, I point the webcam at the place the puppies like to sleep during the day

Using this I could use a second Skype account from mobile/work/wherever to phone the Puppy Cam. Puppy cam auto answers and viola! I can see the dogs on the couch. Also, Skype’s history of security has been good, as far as I understand, at least.

The problems with this solution are:

  1. It doesn’t work with multiple Puppy Cams unless you have multiple PCs with webcams, each left on and with it’s own Skype account.
  2. This doesn’t support the ability to remotely move the camera to point in different directions even if the camera is capable of remote control movement.
  3. I’ve never tried to figure out recording. Last I checked, Skype doesn’t support it so I suspect a screen capture solution would be needed… ugh.
  4. I’ve also had varied success with cameras that have low-light, night-vision capability (the camera has to auto-enable for this to work over Skype).

So, this is not a bad solution. For a baby monitor cam, one could do the same and just disable all sound on the end receiving the call.

So, that’s my inelegant solution. I would LOVE suggestions about something more capable/simple and also affordable. Please! I’m sharing to help others but hoping for something better!


#4

Try Raspberry Pi and the “motion” daemon. I think it was designed for security but should work here too.


#5

I’ve got three pis set up with the camera module and motion-mmal - it works but it is kind of fiddly and will take some moderate doing if you are unfamiliar with linux. Actually, one is using a usb cam and as long as you don’t really care much about resolution, then a usb cam is easier to set up. I also wrote an android app to make it easy to look at the cameras, maybe I should clean that up a bit and throw it up on github.


#6

Public service announcement, kids, there is no such thing as a ‘security camera’. Cameras emit surveillance. Arranging the situation such that the surveillance serves as an ingredient in the production of security is a separate matter; and not always a trivial one.


#7

I’ve been fascinated with telepresence robots, most of which are very expensive but there are some like the now-discontinued Romo that are pretty cheap. I haven’t looked but I imagine there must be a pretty active hacking community for these kinds of things.


#8

I have a really hard time figuring out why a babycam would be internet-accessible. If these vulnerabilities were to other clients on the LAN, then it wouldn’t be such a big deal.


#9

Last time I had a baby monitor it was FM, audio only. Not all that secure, if bad guys really wanted to listen to my crying baby, but he wasn’t crying out credit card numbers.


#10

I think that the internet exposure is usually to support the (typically dreadful) ‘app’ that allows you to stream larva-feed on your smartphone without knowing what ‘NAT’ means. Apparently vendors aren’t quite up to the task of making that work without gaping holes.

As for LAN-only, that’s definitely not as bad; but cheap plastic boxes with flashable firmware and modestly punchy general purpose CPUs are pretty damn scary from the perspective of upping the potential persistence of whatever crap makes its way inside through web activity, clueless friends on the wifi, etc. Thankfully, most attackers don’t yet deem it worth the effort(though the NAS ransomware some time back was pretty hardcore); but if they did it would be quite a bloodbath.


#11

I can’t imagine a situation where I’m not inside my own network when I need to see my child on camera…because that means no one else is with him at that point, faceplam.


#12

Maybe something like the sonorously-named Xiaomi Ants XiaoYi could work? It seems to have a mobile app of some description and costs US$40.

I’ve been talking about Xiaomi stuff a lot around here, for some reason. They do make pretty decent stuff at rock bottom prices.


#13

Also, this is a serious, nontrivial issue and all. But boy, is that headline a fine example of stranger danger alarmism or what?


#14

I think they are used more as Nanny Cams as “Yes, the baby is still asleep in the other room, like I saw 5-minutes ago in person - Cams>”


#15

They should just make a FitBit baby with GPS.
I mean who doesn’t want to lojack their child?


#16

I’ve used foscam network cameras ($50-$100) for various purposes like this. They have a web UI if you choose, but I use an app for Android called TinyCam Monitor Pro which gives me a multi camera view and a consistent interface across different models. The key thing, from my perspective, is not to allow these devices to punch a hole through your network and broadcast to the internet. I’ve turned off those features and instead use a VPN through my router to connect when I want to check on the dogs away from home. It’s certainly less convenient than the products mentioned in the article, but seems less cumbersome than your setup. I’ve also toyed with ZoneMinder from time to time, but for recording, etc. but I never spent the time necessary to get it working how I liked.

I expect there are some issues with my setup, but it should theoretically shield me from most of the IoT vulnerabilities that seem to crop up just about every week.


#17

Also, obligatory @codinghorror (still no onebox, eh?):

Welcome to The Internet of Compromised Things


#18

About a year or so ago I helped with setting up a CCTV system based on these. They are pretty neat for a canned solution. But a box with OpenVPN is a must for securing access from the outside.

OpenVPN, much easier than IPsec, runs on all the major platforms (I think), can work through both TCP and UDP connections that are NAT-friendly, and I once got it even to forward IPX between two LANs when there was a legacy No-well Netware server to be accessed.


#19

Agreed. I’m using OpenVPN via DD-WRT on my router. It would be nice if it were a bit more seamless on the client side, but overall it’s pretty easy to set up and use. Here’s a good starting point (mostly for @IanMcLoud):


#20

This topic was automatically closed after 5 days. New replies are no longer allowed.