In 2013, a man hacked into a Houston couple's baby monitor and started yelling at their daughter.
"Wake up you little slut," the man reportedly said.
That was only one of the first in a long list of widely publicized and incredibly creepy security incidents involving internet-connected baby monitors. Yet, two years later, a large number of popular baby monitors, which allow parents to check in on their sons and daughters using an app or logging into a website, still have serious vulnerabilities that leave them wide-open to malicious hackers, according to new research.
For example, in one model made by Summer Infant, hackers could access the online live feed of other people's baby monitor's cameras. By exploiting a vulnerability and guessing the camera's ID number, hackers can create several user accounts to log into other users' web portals, according to the report.
That's just the worst example, according to Mark Stanislav, one of the researchers who analyzed nine different baby monitors from eight different vendors and graded them on their security. Eight of them got an "F," and one got a "D."
For most of the companies that sell these baby monitors, "security is kind of an afterthought," Stanislav told Motherboard in a phone interview.
"Security is kind of an afterthought."
Another baby monitor, this one manufactured by iBaby Labs, allows for a similar attack. Any user of the device's website, ibabycloud.com, can view the information of other users just by guessing other devices' IDs. That information includes the filenames of saved videos, according to the report. At that point, a hacker could even download those recorded videos stored in the cloud, Stanislav explained.
"You can now harvest all those [video] filenames, append them through that hardcoded URL, and now you can just create a script to download every single video clip for every single camera, from every single user," he said.
Summer Infant did not responded to a request for comment. A spokesperson for iBaby Labs said the latest version of its software is not affected by this vulnerability and that the company has notified users of the patch.
Stanislav and his fellow researcher Tod Beardsley found a total of 10 vulnerabilities affecting baby monitors manufactured by those two brands, as well as Philips, Gyonii, TRENDnet, and others.
In some cases, the baby monitors had easy-to-guess passwords that let attackers log into them remotely, a vulnerability that's common among "internet of things" devices. Another iBaby Labs device had "admin" as a hardcoded username and password, according to the report.
A monitor made by Philips had a similar problem, using hardcoded credentials which are easy to guess and can't be changed. It also had a series of other bugs, including one allowing users to access other people's camera feeds.
Philips, which cooperated with Rapid7 since the firm reached out, told Motherboard that the company that's licensed to sell the product, Gibson Innovations, is developing fixes to the bugs and will make them available "by the first week of September 2015."
TRENDnet, whose camera also has easy-to-guess hardcoded credentials (though only accessible on a local network, and not remotely) told Motherboard in a statement that it will push out updated firmware for its customers "shortly."
After this article was published, a spokesperson for Gynoii said that they "ignored" a Rapid7 email from July since it looked "like Spam without clear content.," but added that he would now reach out to the firm. He also later pledged to offer a patch so that user can change the default passwords.
No other vendor mentioned in the report responded to Motherboard's request for comment. Stanislav also noted that, in many cases, the manufacturers either ignored their reports, or were not very responsive.
"If you're worried whether it's safe or unsafe, unplug it when you're not using it."
Overall, as with some other internet of things devices, it's clear that baby monitor producers need to start building their products with security in mind. That's what Stanislav is advocating through his non-profit, BuildItSecure.ly.
In the meantime, consumers need to be aware that "any time you're putting an internet connected camera in your network, you're going to take some level of risk," Stanislav said.
"If you're worried whether it's safe or unsafe," he added, "unplug it when you're not using it."
This story has been updated to add comments from Gynoii and iBaby Labs.