The Baby Monitor Spy: How the Internet of Things (IOT) is Often Unsecure

Internet of Things (IOT) & Security

In 2013, a cyber attacker hijacked a baby monitor to spy on a 2-year-old Texas girl, broadcasting obscenities at the young child, swiveling the camera to watch her flabbergasted parents as they entered and then to insult them as well. Fortunately for the young girl, she slept through the entire incident, but this brings into question the security of the Internet of Things.

A similar incident was reported by the UK's Daily Mail in 2014. Reporters watched live streaming footage of babies in cots, a schoolboy at home in North London, another asleep in bed, the inside of a church changing room, an elderly woman in a chair and two men sharing a meal in a kitchen.

In July 2016 the UK's data watchdog Information Commissioner's Office (ICO) posted that they were still seeing people and companies making the same mistake of failing to secure their gadgets. When contacted by Ars Technica, the ICO declined to name the compromised sites.

The ICO did, however, warn of a problem that must be addressed. With the Internet of Things (IoT) growing each day, potentially to billions of devices by 2020, the risk of unsecured IoT devices poses more of a threat than simply privacy invasion.

According to Simon Rice, the ICO's Group Manager for Technology, an unsecured device could be identified by a search engine, then granted access to the vulnerable device. Ironically, a hacker could access your entire network using technology meant to keep you safe in order to steal personal data and commit identity fraud.

Hackers gain access to these unsecured devices through the search engine Shodan, which connects itself to likely vulnerable services, logging a list of vulnerable devices and creating a searchable index of its findings. The IoT has been able to connect everyday objects to the internet via IP addresses with very little security, offering a potential window for predators and thieves into your home.

Because of this continuing threat, manufacturers need to be doing more to protect their customers' data. For example, they could ship devices with passwords unique to each device rather than having a generic password that could provide access to countless devices. They could also build devices that require password changes once installed. This would separate your device from others, and make it harder for a hacker to access your network.

The ICO remains firm on the stance that security should not rest solely in the hands of the consumer, but that the developer of a device should make a reasonable effort to ensure the privacy of its customers. An ICO spokeswoman said that manufacturers should  "subject IoT devices to a robust security test before launch and for every subsequent firmware update."

This is not to say that IoT manufacturers are or should be entirely culpable for data breach in homes. Consumers should be aware of the threat that they face in installing a device that connects to the internet through a relatively unprotected IP address, and should take the proper security steps to ensure that they are not being watched.