Tens of thousands of baby monitors have ‘multiple critical vulnerabilities’ that allow hackers to spy on unsuspecting infants with ease.
Austrian cybersecurity firm SEC Consult discovered that Mi-Cam’s HD baby monitors, manufactured by Chinese company miSafes, have security flaws that allow for the ‘hijacking of arbitrary video baby monitors.’
SEC Consult estimates that Mi-Cam has more than 52,000 users, according to the report published Wednesday.
Austrian cybersecurity firm SEC Consult has discovered ‘multiple critical vulnerabilities’ in the Mi-Cam baby monitors (right), which are manufactured by Chinese company miSafes
Several listings of the Mi-Cams are available on Amazon, though it appears the devices have sold out or aren’t being re-stocked.
In total, SEC Consult outlined six different vulnerabilities that exist in the Mi-Cam video monitors, which owners also use to keep an eye on pets and various rooms in their homes.
One vulnerability allows hackers to easily gain access to the camera by requesting a missing password.
This sends a six-digit validation key to the supplied email address, allowing users to set a new password.
‘An attacker is able to bypass this protection with a brute-force attack and can easily take over any existing account,’ SEC noted.
As a result, unsuspecting users can easily get locked out of their account by a hacker.
Another vulnerability allowed SEC to gain access to open application programming interfaces, just by modifying a single HTTP request.
The Mi-Cam device, shown on the right, was discovered to have six security vulnerabilities. One security flaw allows hackers to take over the user account connected to the baby monitor just by requesting a forgotten password and deploying a brute-force attack on the device
A diagram shows how the Mi-Cam device communicates with a cloud service via HTTPS traffic
From there, hackers can get information on connecting to the Mi-Cam cloud network, hosted on Amazon Web Services.
‘This allows an attacker to retrieve information on the supplied account and its connected video baby monitors,’ SEC explained.
‘Information retrieved by this feature is sufficient to view and interact with all connected video baby monitors,’ they added.
SEC also discovered that, by tearing open the Mi-Cam, they were able to get hardware level access to the device and extract the firmware.
The researchers analyzed the firmware for additional security issues and discovered it had outdated software and weak passwords.
‘By analyzing the extracted firmware or by simply performing a brute force attack on the live system, it is possible to identify the following very weak 4-digit default credentials for the root user account used by the baby video monitor,’ SEC explained.
In short, by discovering the device’s root passwords, they were able to watch video feeds on the baby monitor.
Given all of the Mi-Cam’s vulnerabilities, SEC recommends that users just turn off the device completely.
‘From a security standpoint, it is not recommended to use those devices anymore until all security issues have been fixed and a thorough security audit has been performed,’ the firm said.
SEC was unable to get in touch with miSafes, despite repeated requests since last December.
However, Forbes spoke to QiWo Smartlink Technology, which also manufactures the Mi-Cam devices, who said the company will work with SEC to fix the bugs as soon as possible.
A Qiwo spokesperson told Forbes that the devices are on sale but out of production.