There must have been more than a few parents uneasily eyeing their smart baby monitors in the past couple of weeks.
The monitors, which connect to your home’s wifi network and are accessed via an app on your smartphone, have become increasingly common in recent years, giving parents a way to check on their child no matter where they are in the world.
Reports of wifi-enabled baby monitors being hacked and strangers having access to the camera feed are not new, but it was the subject of discussion on RTÉ1, bringing home to parents the risks posed by connected cameras.
Viewers of Claire Byrne Live last week heard about Michaela Beirne's experience with her Owlet smart baby monitor, where someone unknown to the family gained access to the camera and began to mess around with its video feed and settings.
One night, she said, the app displayed an empty cot instead of her sleeping one-year-old son. “My mind went to ‘He’s fallen out of the cot, how did this happen?’ My partner’s went to ‘There’s an intruder in the house,’ ” she said. Beirne and her partner, Dean, raced up the stairs, but found their child sleeping peacefully.
A small LED light that indicated someone was streaming the monitor’s footage was displayed on the camera. It was then they realised that someone had access to the monitor.
Then other things began to fall into place. Beirne said the app had notified her that the temperature in the room was too low, so she had put extra covers on the baby; a short while later, it told her the temperature was too high. And there was some indications that whoever had access to the app had been watching the stream before.
“There’s a little LED indicator so when the camera is streaming, when someone is looking at it through the app, it’s red; when there’s nobody it’s blue,” Beirne said. “We had been in bed the night before and we noticed it turned to red. Someone was actively watching the live streaming.”
After the incident the next night, Beirne unplugged the camera and got in touch with the company about the issue. In a statement read out on the show, the company said it was working with the customer “to address her concerns”, and detailed the various security measures it had in place.
But while the incident may be the most recent, it certainly isn’t the first time that wifi monitors have hit the headlines for the wrong reasons.
Degree of risk
What should serve as some sort of relief to parents is that these experiences are relatively rare and most wifi monitors will only be accessed by people known to the parents. But as with all internet connected devices, there is some degree of risk that the camera can be hacked.
It’s not just baby cameras we have to worry about: there have been numerous reports about security flaws in internet-connected security cameras that have left people open to being spied on or harassed.
In June last year, UK consumer watchdog Which? warned that about 3.5 million internet-connected security cameras in the country were at risk of being hacked, even if users had changed the password. About 700,000 were in Europe, with the majority in Asia. The issue seemed to stem from the app accompanying the cameras, which included brands such as Accfly, ieGeek and SV3C among others. The flaw in the CamHi app was still a risk to those who had changed the default password on the camera, usually the first – and effective – line of defence against hackers.
While the invasion of privacy is bad enough, it isn’t the only risk. The growing number of internet-connected devices that are popping up in our homes could also be used in online attacks. By exploiting poor security or vulnerabilities in connected devices, hackers can create a botnet – an army of zombie devices that could include security cameras,smart TVs and home automation sensors – that can be used to co-ordinate a massive cyber attack.
Take the Mirai botnet. In 2016 a large part of the eastern US coast suffered a major internet outage after a DDOS (distributed denial of service) attack was levelled at internet infrastructure company Dyn. The attacks came in waves, with tens of millions of IP addresses bombarding its servers with malicious requests and overwhelming the system until it simply gave up.
The botnet was made up of millions of IoT devices, with its creators scanning the web for vulnerable devices
It all seems a bit overwhelming, and weighing the risks it seems the best thing we can do is unplug the broadband modem and resolve to live a simpler, less risky life. That may be a little drastic, though, particularly in a time when our lives are so restricted that online is the only outlet we really have.
There are some steps that you can take to help protect you from prying eyes without resorting to drastic measures. All this advice comes with a caveat: even if you do everything the experts advise, you may not be able to prevent a hacker gaining access to your devices.
It will, however, make it significantly more difficult, in the same way that locked doors and windows won’t always keep burglars out but instead throws up enough obstacles to make your property a less attractive prospect.
The first port of call is always your home wifi hub. You might have thought to change the password on your wifi network, but what about the admin password on the hub itself?
Each broadband router has admin settings, accessible through your web browser, that allow you to customise your home network, from renaming the wifi and splitting the 5Ghz and 2.4Ghz into separate networks to applying security settings and changing passwords. It will also give an idea what devices are connected to your network, and give you a heads up if anyone has access to your network who shouldn’t.
The log-in details for your hub are often simple – such as “admin” and “password”, and others are often available online if you know where to look. Change the password from the system defaults to something more complex and you will give your hub an extra layer of protection.
Beef up security
If there is a default log-in and password on your camera, change that as quickly as possible to something that is difficult to guess.
The usual advice applies when it comes to apps: never reuse passwords. One compromised log-in can jeopardise every account where you reuse those same credentials, and could lead to more than just the annoyance of having to change every single password you have created.
It is also worth considering changing your password on a regular basis, so even if your account is compromised, the window for using it will be small.
Plenty of security cameras offer encrypted video, but not all. It is worth checking out the security rating on cameras before you install them in your home. Devices that encrypt the video stream will be harder to break into. If it doesn’t offer security features to protect your video stream, look elsewhere.
It's also worth looking at others' experiences with your chosen device. In the case of the Fredi monitor, the device had already been singled out for criticism by the Mozilla Foundation, thanks to its history of being easily hacked, and using a default password.
But just because your camera doesn’t have a documented history of security holes, it doesn’t mean they aren’t there. It could be that they haven’t been examined that closely, or at all, depending on the brand.
Reconsider remote access
One of the draws of wifi monitors and cameras is that you can access the devices while outside the home – say if you work away, or want to check in at home during the day. It may be a handy feature, but reconsider whether or not you really need it. Some cameras allow you to use your home’s wifi network to link the camera and your device but disable access from outside your home network. If you plan to access the camera only while at home, you don’t need remote access and you can cut it off. That doesn’t make the monitor safe just as having remote access doesn’t make it unsafe, but it does remove a potential way into your home.
Make it two-factor
Look for devices that have multi-factor authentication on their apps. This essentially means that in addition to your password and login, you will need a code before you are granted access to the app. Those codes, depending on the system you are using, can be sent by SMS or are generated by a third-party authentication app such as Google Authenticator or Microsoft Authenticator. No code, no log-in.
Keep it up-to-date
Check in regularly to see if your devices have the most up to date firmware, and if your apps themselves are up to date. This can keep prying eyes out of your devices by patching security flaws as they are discovered and fixed.
While most apps will check for updates automatically, your settings may be preventing them from notifying you about the new software, so it is worth checking regularly.
Where is the footage from your camera stored? It is worth looking into this aspect a little more closely. Find out how your video footage will be stored, where it will be kept and who will have access to it.
Most cameras will have an indicator that your camera feed is being watched on the app, with a light or a tone that will give it away. But you won’t always be there to see if someone has gained access to your camera. When not in use, unplug the camera.