
When baby monitors fail to be smart - kushti
https://www.sec-consult.com/en/blog/2018/02/internet-of-babies-when-baby-monitors-fail-to-be-smart/index.html
======
kees99
I have a problem with those two "vulnerabilities" listed:

\- Available Serial Interface (referring to easy-to-solder console port pads
on PCB, accessible once you tear device apart);

\- Weak Default Credentials (referring to weak root password that is only ever
accepted via serial console).

Life-span of a baby monitor is couple of years, by definition. After that,
this hardware could either become a cool easy-to-tinker Linux device, or
e-waste.

Researchers at sec-consult seem to think e-waste option is better, or at least
it's a necessary evil to deter those pesky hackers who sneak near your child's
crib, armed to their teeth with soldering irons and screwdrivers.

~~~
ken
> Life-span of a baby monitor is couple of years, by definition.

Unless you have more than one baby. Or friends/family with babies. My nephews
are using products that weren't even new when I played with them, decades ago.

~~~
Waterluvian
I have a four year old monitor that's on baby #1 in my household. It's a dead
simple device and just works. I overhwelmingly care about its reliability to
work or tell me when it's not working and I'll easily sacrifice any
hackability to achieve that.

Ever have an infant crying for 45 mins because the monitor failed and you
thought he was still sleeping? Really really upsetting.

------
stuaxo
Haven't RTFA yet, but read a lot of internet of shit.

When I bought a baby monitor I made sure it was dumb, because why would I
trust some random company with data from a camera in my house?

~~~
book_mentioned
Are there any thoroughly documented examples demonstrating use of an RTL-SDR
to view these wireless cameras?

~~~
lathiat
I was literally about to say.. sometimes the dumb ones are actually worse as
many of them are transmitting the sound and video over the air with no
encryption either :)

I imagine probably 99% of them are but I don't have any research to actually
back that up.

~~~
Xylakant
Many use the DECT Standard that was developed for mobile handsets. It’s not
high security, but it’s also not plain text.

They’re also not networked, so an adversary would have to get into range,
making a potential attack much more complicated. It certainly won’t defend you
from a targeted attack, but it will keep $random_person_on_the_internet
reliably away and I don’t have to rely on $companies server/network security.

~~~
lathiat
Well thats comforting :)

~~~
kurthr
Exactly... there are many things for which not being connected to the 'net
increase security a lot. You decrease the pool of crazies and crooks. However,
once a stalker is interested in spying on your house... physical proximity
isn't so much of a barrier.

"We begin by coveting what we see every day... Clarice"

~~~
Xylakant
I live on the fourth floor and the reception from my (audio only
unidirectional) baby monitor doesn’t reach to the ground floor. So the stalker
would need to be in one of the adjacent flats. Not an insurmountable barrier,
but one that I feel comfortable with, since all I need protecting is baby
babble.

~~~
danielvf
Or just a better antenna. :)

~~~
Xylakant
Maybe. It’s still just baby babble.

------
_pmf_
A baby monitor having accessible UART ports on the board has the same security
implications as a PC having a CD-ROM drive.

Actually, considerably less.

~~~
sokoloff
Agreed on a stand-alone basis, but couple that with client certificate based
auth and all client certificates being the same worldwide, and it makes the
UART a convenient step in the chain of attack. (Agree that the problem isn’t
the UART pads though.)

------
kwhitefoot
Just don't use a baby monitor.

~~~
tachyoff
There’s a baby in the house where I live. When he wakes up and is fussy, you
can absolutely hear him throughout most of the house. If you’re in the kitchen
it helps to have a monitor, just for the distance. Otherwise, do baby monitors
help if a baby is having breathing issues? Is it possible to tell? And if so,
what do you do to save them?

~~~
djak250
They have little movement monitors that you can clip to their waistband that
monitors the rise and fall off their chest. If it doesn't rise for 15 seconds
or something like that, you get an alarm. Hopefully it's enough to startle the
baby into breathing again, but otherwise at least the parents are alerted as
well. There are methods of encouraging the baby to breathe again, but I
haven't learned that yet. (The wife and I are expecting, so we're learning all
this stuff right now. 16 hour course next weekend... Oof)

~~~
larkost
Rather than use a clip-on version, go with something like AngelCare's line of
under-the-mattress ones. False-positives will be the bane of your existence,
so you want to avoid things that can fall off. With ours we usually got alarms
when our kids rolled to the very edge of the bed.

We never had any real issues with either of our kids, and only false alarms.
But I know my wife got better sleep just because the alarm was there (only in
part because I was usually the one to check when the alarm went off).

~~~
darklajid
Two kids, had an AngelCare.

We stopped using it nearly immediately. It was a glorified audio only monitor
for us, the check for movement/breathing was giving lots of false positives
and drove us insane.

Other parents even turned on a beep for each breath, made it sound like a
hospital. You subconsciously gold your breath if the device beeps with a tiny
delay.. beep..beep....???beep

For us it was the wrong choice.

------
thinkMOAR
So how does this differ from other camera security concerns/complaints that
get posted regularly? Because its called a baby monitor?

~~~
a2tech
The security on this is actually a lot better than most cameras--all the
traffic is SSL using trusted client certs. To get into the traffic they had to
tear the device apart and extract the cert. After that they could MITM the
traffic between the camera and the remote server and observe some bad
security. Unfortunately they also published the extracted certificate on their
blog which is not cool.

~~~
matthberg
They unfortunately did not have to tear the device apart and extract the cert,
they state that each device uses the same one, valid until 2038, which was
exposed in a previous exploit (and was likely previously available online as a
result). Though it _was_ definitely a bad idea to post it again on their site.

------
JeanMarcS
> trading privacy for convenience

That’s the important sentence to me. That’s where we all gone wrong in my
opinion.

------
ateesdalejr
> it is possible to identify the following very weak 4-digit default
> credentials

And we all know what the password is... "1234"

------
jasonmaydie
why does a baby monitor have to go through the cloud? you aren't supposed to
be more 0-50 feet from your baby.

~~~
giobox
I suspect there’s a market for those parents who travel with work or are
otherwise away from home for a time wanting to “drop in” and see the kid.

Much the same logic as the market for indoor security cameras from
Canary/Nest/Arlo et al, and those seem to sell well enough. I know several
colleagues who use a Nest in this way, for families and pets.

------
tzs
What are some good solutions to authentication for IoT devices?

There's nothing wrong in principle with using a certificate (other than it
being overly complicated...there's a reason we aren't all using client
certificates to authenticate with our email server, Twitter, Facebook, etc).
Just as there is nothing wrong in principle with using a user/password scheme.

Both certificates and user/passwords suffer from the same serious problem: how
do you change them on the device? If you don't have a way to change them, all
someone has to do is learn the factory default and game over. (Even if you
provide a way to change them there is the issue of how to make sure people
actually change them, which is a whole other problem).

IoT devices often do not have a good interface on the device itself that you
could use to change a user/password (let alone enter a new certificate!).

You could include Bluetooth in the device, and provide a configuration
application that the user runs on their phone. If the device does not
otherwise need Bluetooth that is going to raise the cost a little, and if the
device does not otherwise need a mobile app making people get one just to set
the thing up is going to seriously annoy many.

What I would like to see is this:

1\. Every IoT device (and every non-IoT device, for that matter, for reasons
given below) should have at least one of: (A) A USB port that you can plug a
thumb drive into, (B) A USB port that you can use to connect the device to a
computer, or (C) some type of SD card port. I think that USB is cheap enough
now that it would not cost much to add it.

2\. If you plug a FAT or FAT32 formatted thumb drive or SD card into the
device, it reads and applies configuration information from a file on the
drive or card. There should be a convention established for the naming and
location of configuration files so that multiple devices from multiple vendors
can all have configuration files on the same drive.

3\. If you plug the device into a computer via USB, the device shows up as a
FAT or FAT32 formatted drive with its current configuration in files on that
drive. You can edit them to change the configuration.

4\. When you connect a thumb drive or insert an SD card and there is a "DOCS"
directory on it, the device makes a subdirectory in that named after itself,
and in that directory writes a copy of its user manual and other
documentation. If there is a "LOGS" directory, it should do a similar thing,
but with any logs it keeps. If there is an "INFO" directory, do a similar
thing but with information about the device, such as model number, serial
number, and other such stuff useful to have if you need to contact customer
service.

5\. This mechanism could also be used to provide firmware updates to the
device.

(#4 and #5 are why I want this everywhere, not just IoT).

Another issue with IoT devices, once you have figured out how to change
authentication information, is how to keep that safe? For instance, I'm making
a motion detecting bird camera to take photos of the birds that stop by for
the food I leave out. If I want it to use my home wifi to upload photos...it
needs my home wifi credentials.

But it will be outside. If someone steals it, they have my credentials! (I'm
currently using a Raspberry Pi, so they could just steal the SD card...or if
they came prepared they could just borrow it, copy it, and put it back, and I
might not even find out about it).

My current thoughts are to have the thing come up after boot offering its own
wifi network. I can connect to that from my computer, and start the bird cam
software, which can ask for my wifi credentials. It can then stop offering a
wifi network and join mine, keeping the credentials only in RAM.

Still vulnerable, but it would then take an attack more sophisticated than
simply stealing it, or cloning the SD card.

~~~
atonse
Look at what Apple did with HomeKit. [1] Pretty damn awesome.

They really thought things through (can I add another "th" word in here?).

[1]
[https://developer.apple.com/homekit/specification/](https://developer.apple.com/homekit/specification/)

~~~
SAI_Peregrinus
They really thought these things through thoroughly. (That's two...)

