Always feel like someone’s watching you — or your baby? The New York City Department of Consumer Affairs is launching an investigation into baby monitors to find out how vulnerable they are to hacking. It sent subpoenas to several video monitor manufacturers and will investigate whether they’ve fixed known vulnerabilities and if they’re engaging in false advertising when it comes to security claims.
“Internet-connected devices like video monitors provide convenience but without proper safeguards, they pose serious privacy risks,” DCA Commissioner Julie Menin said today in a statement. It’s not just the stories that make the news when a parent hears voices coming through the baby monitor or notices the camera following their every movement. Connected cameras and baby monitors have lots of known vulnerabilities, and many device owners may not even know they’re at risk.
A September 2015 report from security analytics provider Rapid7 gave eight of the nine baby monitors with cameras it analyzed an F (as in fail) when it came to security. The other received a D. The cameras were transmitting video without encryption or had easily cracked default passwords. HP conducted its own study and found that all the Internet-connected home security systems it tested had encryption and password issues. Some wouldn’t lock you out if you tried repeatedly to guess the password and others simply let you choose weak passwords or leave the default one in place. Back in 2014, an article published on Motherboard detailed a website that collected video streams from over 73,000 IP cameras whose owners never changed the devices’ default passwords.
As the DCA investigates, it has some advice for those with Internet-connected baby monitors: Do your research to see if your camera has known security vulnerabilities, regularly change your difficult-to-guess password, register your device to get firmware and other updates, and turn the camera off when you’re not using it.