
Hacker taps into baby monitor, shouts at sleeping infant - timr
http://blog.sfgate.com/sfmoms/2014/04/29/hacker-taps-into-baby-monitor-shouts-at-sleeping-infant/
======
ipsin
[http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-
ba...](http://krebsonsecurity.com/2014/01/bug-exposes-ip-cameras-baby-
monitors/)

"The issue came to light on the company’s support forum after camera experts
discovered that the Web interface for many Foscam cameras can be accessed
simply by pressing “OK” in the dialog box when prompted for a username and
password."

I understand that using this security hole to yell at a baby makes you a
terrible person, but I'm also appalled at the company that made that situation
possible for so many of its customers.

~~~
primitivesuave
It takes a reasonably intelligent programmer to identify a security hole, and
an entire team of foolish programmers to let one through. It's quite evident
that this company only has the latter.

~~~
fleitz
It's not a team, all you need is one fucking idiot who sometime in the 80s
once wrote some software that ended up on a satellite. After that everyone
will believe whatever that idiot says.

I once spent two hours arguing as to why using a single static AES key for
encryption on an app used by millions of people rather than just use SSL was a
bad idea, they talked about how secure it was, etc, etc.

After that frustration I went drinking, when I came back, I discovered that
their shitty encryption system had a 4 byte field for how big the message was,
I sent 256 requests 20 byte requests to that system with message 'sizes' of
0xFFFFFF00-0xFFFFFFFF and watched as the server consumed about 64 GB of RAM
before falling over. (It was a .NET app so a request of that size has to go
into gen3, since the subsequent requests are larger they can't reuse the
existing block)

Then I openly mocked them in the next meeting, they still went with their
shitty encryption system because it was 'good enough' and apparently faster
than SSL.

~~~
hhsnopek
I hate when this occurs, people would rather go with their implementation
rather than have their own pride suffer.

~~~
jacquesm
[http://en.wikipedia.org/wiki/Not_invented_here](http://en.wikipedia.org/wiki/Not_invented_here)

------
ultimoo
An internet routable camera in the house with a voice channel is _the exact
kind of thing_ that should have a two-plus factor authentication, strong tls
capabilities, responds only to pre-approved IP address ranges, and any other
paranoid security practice that you can come up with.

In fact any tin foil class practice in these situations is worthwhile.

~~~
cbhl
On the other hand, new parents are probably really stressed out (being awoken
in the middle of the night, etc.) so I wonder whether parents would be willing
to put up with two-factor auth on such a camera.

~~~
valarauca1
Is opening your laptop, waiting for it to pull up the site, load the feed,
wait until your eyes can actually focus, faster then walking 10-20 feet down a
hall to another room?

Maybe I just don't understand the company's target use case not having
children of my own.

~~~
chrismcb
I'm thinking checking your phone while you are at dinner is probably a little
faster than walking back to the house. And having a window up an running while
you are in another room working is also probably faster. The baby is supposed
to be sleeping, you don't need to walk into the room every 5 minutes to check.
I'm also going to guess the use case is NOT for people without children.

------
elwell
> a hacker accessed a Houston couple’s device and called their 2-year-old a
> slut

Sorry, this is just hilarious; partly because the journalist doesn't put the
degradation in quotes.

~~~
subdane
"scare" quotes. Literally.

------
strozykowski
> Heather picked up her mobile phone and accessed the camera to check on her
> 10-month-old daughter Emma’s room.

She didn't just walk into her baby's room after hearing a man's voice?

~~~
emiliobumachar
Checking the camera is a reflex you develop after the third time you get up
and go to the baby's room seconds after hearing them cry, to find them
sleeping.

~~~
dingaling
Perhaps it's a cultural thing. When my Northern Irish colleague was raising a
family in Hong Kong, he would let his baby cry in her cot for five to ten
minutes before going into the room.

Nothing unusual, that's generally what we do here. The baby will often settle
back to sleep and learn that crying doesn't always result in attention.

But the neighbours in his apartment were aghast and would immediately knock at
his door, panicking because his baby was crying and berating him for
'abandoning' her! And the next day they would continue the chastisement;
apparently the local custom was to pick up a crying baby immediately.

------
erobbins
Does thinking this is hilarious make me a bad person?

~~~
bertil
A little bit.

In all reason, a child that age has very little memory, and loud noise are not
exactly rare in his environment, so… it is a _little_ funny. I think reading
in Feynman lectures would be funnier, but then again, I’m not comedian.

~~~
ars
> has very little memory

Not true at all. Yes, they won't remember specific events, but they certainly
do remember they way things work, and they now have a fear response to a
certain kind of voice.

It hopefully will fade, but not necessarily. I've met babies (and one toddler)
who were scared of men but not women.

------
devindotcom
This isn't even the first time this has happened, if I remember correctly.
There are thousands of unsecured devices out there that no one will ever
secure, because they were never registered, just plug and play devices bought
at Target for $20. It's an insoluble problem unless someone writes an invasive
fix-it worm or something.

~~~
Torgo
As far as I'm concerned, Foscam cameras (the type in the story) are not
securable. The firmware is complete trash. I have one and it is loaded with
bugs. At least twice now I've gotten an urgent email telling me to update my
firmware because of an exploit. I blocked mine on my router from accessing the
Internet.

To give you notifications, it wants you to put in your email password, instant
messenger password, ftp password, basically almost a dozen things. that could
destroy your life if hacked. And this buggy, remotely exploitable camera wants
you to trust it with all of them.

------
throwaway-9684
It's most likely that the "hacker" in news is from /g/. Every so often he has
been posting videos on YouTube where he's yelling at people with unsecured IP
cams.
[https://rbt.asia/g/thread/S41535725](https://rbt.asia/g/thread/S41535725)

~~~
ars
It's one thing to yell at an adult, it takes a different kind of nasty
creature to yell at a baby.

------
3rd3
It’s funny that "Schreck" is German for fear/fright/shock.

------
smoyer
"Heather picked up her mobile phone and accessed the camera to check on her
10-month-old daughter Emma’s room."

There's a man's voice coming from my 10 month-old daughter's room ... should I
check my phone or get out of bed and _RUN_ over to make sure she's not being
kidnapped, molested, etc? This mother's reaction makes me think she'll be
texting her (soon to be) teen-age daughter at the dinner table instead of
making conversation.

------
senorprogrammer
As an owner of one of these cameras I remember being appalled at how difficult
it was to actually secure, how many settings needed to be changed, and how bad
the defaults were. Foscam cameras are practically shipped open and insecure by
default, and it's not a stretch to say that you need to be a security-minded
technophile to figure out how to lock them down properly.

They make commercial routes look positively impregnable by comparison.

------
Mz
Well, while, obviously, this is atrocious behavior on the part of the hacker,
I can't quite relate. I hovered over my kids and I can't imagine sticking my
infant so far away from myself that a baby monitor would be necessary. I never
used one. I think that's generally not a good use for modern tech. I think
it's the kind of thing that falls under "what's wrong with the world today."

------
jrvarela56
It's both amazing and scary that this kind of vulnerability is fairly common.
Check out this great talk given at Defcon
([https://www.youtube.com/watch?v=5cWck_xcH64](https://www.youtube.com/watch?v=5cWck_xcH64))
to get an idea of the magnitude. These are systems that do not require any
kind of tampering or credentials. Most times credentials are given to you in a
prompt!

------
facepalm
The baby monitor we used, while without camera, wasn't even digital/internet
based nor encrypted. Once we heard a kid call for "mama" before our baby could
even speak. Wonder how many people listened in on us.

------
anaphor
With the rise of things like shodan this will probably become a lot more
common until people either stop caring to exploit them or the vendors fix it.

------
finnh
why does the listening end of the monitor have a speaker? My (non-video, non-
IP) baby monitors are strictly one-way.

~~~
senorprogrammer
These cameras aren't baby monitors per se, they're designed for surveilling a
space. They have both a microphone for listening and a speaker for... shouting
at ne'er-do-wells stealing your stuff, presumably.

------
redeemedfadi
It's probably even easier to view the feed from my 2.4GHz baby monitor, but at
least you have to be in range...!

------
microcolonel
Slightly off-topic: isn't it a bit weird for them to air two stories
criticizing IP cameras in a row?

------
cpayne
"Shouts at sleeping infant"

I hate that kind of sensationalist, link baiting journalism.

~~~
emiliobumachar
Both the title and the article seemed pretty objective to me. In this case,
the facts are truly sensational. What looks linkbaity to you?

~~~
bertil
The facts are there, but they might be framed in a wait to make them come off
as worst, or more impressive than they really are, hiding a more
representative reality.

To take a controversial example: Pointing out how many hardened criminals are
from a certain ethnic background might be true, yet without precautions about
discrimination, correlation between economic opportunities, expectation once
jailed a first time, attitude of parole system… it can come off as racist,
because it over-simplifies a problem. In many cases, say point out the gender
breakdown of declared sexual assaillants, take a minority behaviour to placate
it to a larger group.

In that case, the title seems to imply (although, does not say) that the
‘hacker’ was a threat to the baby. He never actually was: yelling at a baby is
callous coming from an adult, but their siblings probably do that daily. More
to the point, it gives the impression that accessing a home connexion is about
bodily harm and threats to physically fragile people -- or even heartless
pranks. Truth is: the real issue is a lot more about accessing your digital
assets, identity and bank account.

~~~
saraid216
I'm curious how you would have written the headline, since you seem to be
wading through a very large miasma of implications in order to come to your
conclusions.

~~~
bertil
I would rather consider a study on the ratio of home appliances, mainly
routers and computers, that have been tapered with -- from a large and
representative sample. I would measure actual damages, intent and describe
insulting an infant as a “careless prank” without giving much more detail. I
would probably focus my angle on security updates, and consider practices:
namely, what was said higher up about parents being tired and most likely
sensitive to simpler authentification protocol. I would actually like to
investigate why so many people are dubious of updates.

> miasma of implications

I’m not sure that tone applies.

An infant has bare social skills, little idea of property beyond holding and
no lasting memory; it is therefore far less sensitive to the threat of
‘hacking’ than its parents. I don’t see any _miasma_ in “implying” ( _nota_ :
I was being careful because you come off as very anal) that it was used as a
symbol of frailty that needs protected — a symbol that only makes sense in an
inappropriate physical interpretation of the event.

Then again: You were the one asking why that title could be seen as
inappropriate. Could. I answered that. I didn’t claim my answer was purely
objective: interpreting representativity never entirely is.

I will now remember not to answer questions you ask, certainly in a way that
could possibly change your position: you obviously don’t like that. In a
related concern: why the f-ck is someone so bigoted doing on HackerNews?

~~~
saraid216
...okay.

1) I'm not the person you think you're responding to.

2) You're objectively _lying_ about what you're responding to.

3) What position did I take, precisely, that you'd like to change?

4) Have you considered learning how to read? Because being incapable of it is
the most charitable conclusion I can draw from your comment... and that's not
even bothering with the original topic.

------
niix
Wake up baby! Wake up baby!

