OK, enough cheerful peanut-based posts. Back to the usual cynical doom and gloom.
Multiple sources are reporting depressing news about baby monitors. A company called Rapid7, Inc. tested nine devices from eight different companies. They found that every single one had serious security flaws that would allow an attacker to view the video stream from the camera, change its configuration, or launch attacks on other devices on the owner’s Wi-Fi network.
If you’ve been paying any attention to security matters in the last few years, you probably aren’t surprised about Rapid7’s findings. Just as there’s no such thing as a bug-free program, there’s no such thing as a secure Internet-connected device.
What is surprising to me is just how bad the manufacturers’ responses were when they were informed of the vulnerabilities. Philips–or rather, Gibson Innovations, who hold the license to sell baby monitors under the Philips brand name–is working on a fix, although no timeline has been set for its release. None of the other seven manufacturers is planning to fix the flaws in their products. According to the article on Ars Technica, Rapid7 couldn’t locate one manufacturer, several didn’t even acknowledge receipt of Rapid7’s notification, and some stated flat-out that they saw no reason to look at the report.
If it were just baby monitors, it might not be a big deal, but let’s not forget that consumer electronics manufacturers are pushing more and more Internet-connected devices into the market. It’s not just TVs and video players (many of which have had their own security failings) anymore. Refrigerators that monitor their contents and nag you to go shopping–or simply place orders for grocery delivery themselves. Clothes washers and driers, dishwashers, ovens, furnaces, lights, smoke and carbon monoxide detectors, and door locks all have network connections.
Keep in mind that the baby monitors weren’t cheap models from fly-by-night companies. They included well-known brand names and some of the most popular models. Yet only one manufacturer is apparently willing to stand behind their product and resolve the problem. If that attitude carries over into other appliances, well, you might give some thought to buying up a stock of locks and light bulbs now while you can still get ones that don’t require a network connection.
“But wait,” I hear you say. “What if I just don’t set up the network connection? Won’t I be safe then?”
First, many “Internet of Things” devices are designed to set themselves up–scan for a network and join it automatically, or in some cases, they establish their own network parallel to your regular Wi-Fi.
Second, some devices won’t work until they’ve been set up. I recall a review of a Bluetooth-controlled door lock, which unfortunately I can’t find at the moment, which will not lock until you pair it with a smartphone and run an app to set the combination for the manual push-button mechanism. (At that, it’s arguably safer than a lock that comes with a default combination printed in its manual.)
Third, if the device doesn’t self-configure and you don’t set it up, it will remain in its default configuration. Most likely, it will have a default password–or not password at all–allowing anybody who scans for Wi-Fi signals to find it and configure it for their own purposes. Do you really want your next-door neighbor to control your thermostat? How about your dishwasher? Better go apologize for that loud party last month before you install your new app-controlled garbage disposal.