A home security camera being used as a baby monitor by a Texas family was hacked last week, according to its owner.
The incident has once again drawn international attention to the increasing number of security flaws being discovered in “smart-home” devices and the ongoing struggle to patch them.
Marc Gilbert said in a phone interview Wednesday that his Foscam IP camera was connected by ethernet cord to his home’s Comcast-provided network router. However, he had not turned on the settings needed to make the year-old device accessible over the Internet. The camera’s wireless connection was also disabled. His home does have Wi-Fi via an Apple AirPort device.
Gilbert said he had strong, customized passwords for the routers and the camera. They were in the seven- to 11-character range in terms of length. The internal firewall on the router was enabled, though on the lowest setting.
Despite the security precautions, Gilbert said a hacker took control of the camera last Saturday and heckled his young, deaf daughter. He disconnected the camera from the ethernet socket on his wall and then connected it directly to his computer. Gilbert found that someone had set up a new user account for the camera and had changed the passwords.
Gilbert and his wife had placed one camera in their almost-2-year-old daughter’s room and one in their 4-year-old son’s room. From their own room, they monitored the children at night with their Apple iPhone and iPad devices sitting on a nightstand.
The camera’s motion sensor would issue an alert to them if one of the children moved. For example, if a child was heading to the bathroom, Gilbert could get up and help him or her out.
“It absolutely came in handy,” Gilbert said. “It’s a shame to not have it anymore.”
How the hacker gained access to device is unclear. Gilbert removed the power source for both the hacked camera and the unaffected older one, which deletes access logs. But if the camera was indeed not connected to the Internet, the hacker would have needed to infiltrate the home network in some way.
The cameras send log-in information, including passwords, over wireless and wired connections without any encryption. Anyone inside the network could see the log-in details using programs available for free online.
In addition, the cameras were susceptible to a security flaw because Gilbert had not updated the program, or firmware, that runs the camera. Foscam released a patch for the flaw in March, but Gilbert said he wasn’t aware there was an update until this week.
Artem Harutyunyan, a security researcher for the cybersecurity firm Qualys, has been tinkering with Foscam devices for several months. He said the firmware flaw, known technically as a directory traversal vulnerability, allows anyone to get access to a camera’s memory file without having to log in. The memory file contains user names and passwords, which can then be used to log in, tweak settings, view the video feeds and create a new account.
Harutyunyan said some manufacturers alert customers to firmware updates through email mailing lists, but it’s not instinctual to sign up for one of those lists when someone buys a new gadget.
“The good thing is camera vendors are doing a good job of reacting and fixing what’s discovered by security researchers,” he said.
The problem is updates can’t happen automatically because a power failure in the middle of an update could render the device unusable, he said. Users have to be involved in some way.
[Updated, 12:45 p.m. Aug. 15: The U.S. distributor for the Chinese camera maker said in an email on Thursday that it has posted a blog with tips on securing the devices, including regularly checking the access logs. A representative for Foscam U.S. also said automatic updates were not viable because of the possibility of corruption in transit.]
Gilbert said he hasn’t updated the cameras this week since he’s no longer using them. He hasn’t thrown them away because they might be needed now that he’s planning to file a police report against the unknown hacker.
A separate researcher this week revealed that Philips light bulbs controllable through a smartphone app are also susceptible to hacking if a user visits a page filled with malicious code. The light bulb system is sold at Apple stores. Nitesh Dhanjani said in a report that Philips never responded to his findings.
“Our society is starting to increasingly depend upon [connected] devices to promote automation and increase our well being,” he wrote. “As such, it is important that we begin a dialogue on how we can securely enable the upcoming technology.”