Security News Researchers Warn of Hackable Baby Monitor (Chinese-made; sold on Amazon)

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Security researchers have concluded that a Chinese-made baby monitor sold on Amazon is riddled with vulnerabilities, confirming a mother’s suspicion that her device had been hacked to spy on her infant.

SEC Consult said the FREDI-branded device, which is designed to look like a puppy, is most likely the work of an OEM called Shenzhen Gwelltimes Technology Co., Ltd.

The device has a P2P cloud feature which allows supported smartphone and desktop apps to connect to it via the cloud, making it easy for users to interact with it without needing to be on the same network. There are also no firewall rules, port forwarding rules or DDNS setup, SEC Consult claimed.

“On the back of the device there is an ID Code and a password (ID: 11610289, password: 123). In the supported app (e.g. YYP2P) there is an ‘Add online device’ function that allows you to add the device,” the researchers explained.

“Unfortunately the device ID does not look very secure. Plus the default password is neither randomly generated nor device-specific. Unless the user has changed the password to a secure one, anyone can log in and interact with the camera by ‘trying’ different cloud IDs.”

SEC Consult claimed that researchers have already successfully proven how to hack a P2P cloud system in a demo last year “that starts with scanning for valid device IDs, brute forcing passwords and then exploiting missing firmware update integrity/authenticity checks to gain remote code execution and persistence on the device.”
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top