UPDATE: iBaby Labs contacted Tom's Guide on March 2 and said they are working on fixing these issues and directed us to their blog post Details are below This article was originally published on February 26, 2020
Popular video baby monitors have several serious security flaws that could allow an attacker to view footage of your child, steal personal information, and even take control of the baby monitor However, it is unclear whether the manufacturer will fix the vulnerabilities
Bitdefender researchers examined the iBaby Monitor M6S at the request of PC Magazine and found that although the device uses a strong encryption standard, the encryption itself is very poorly implemented, with potentially disastrous consequences
Owners of the iBaby Monitor M6S may want to consider not using it until iBaby Labs fixes these issues Three other iBaby video monitor models are very similar to the M6S, and it is possible that those models have the same defects
Bitdefender researchers found that several important encryption keys are based on the device ID and can be easily guessed The network ID used to log into the cloud server is transmitted insecurely and can be intercepted, making it fairly easy for a stranger to access a baby video uploaded to the device manufacturer's cloud server
Other IDs generated from the device ID could be used to upload alerts from the baby monitor to the cloud server, but could also be used to view alert video from a stranger's camera
Commands could be sent to the cloud server that return the device user's name, gender, date of birth, and e-mail address, revealing important personal information to the attacker
In addition, during the setup process of the baby monitor, the access password for the home Wi-Fi network was temporarily sent in plain text
Bitdefender stated that it attempted to contact iBaby Labs, the manufacturer of the baby monitor, twice in May 2019 to notify them of the flaw As of yesterday (Feb 25), Bitdefender said it had not received a reply
We have also contacted iBaby Labs and will update this article if we hear back
Bitdefender specifically looked at the M6S model, but the other three models appear to be nearly identical to the M6S iBaby Monitor M6T, one of our top candidates, offers 720p video resolution instead of M6S 1080p video
Both of these older models are deprecated in favor of two newer models: the iBaby Monitor M7 adds moon and star projections to the ceiling of the baby's room, and the iBaby Monitor M7 Lite moves the device's speakers to the top of the unit Otherwise, both are very similar to the M6S
Baby monitor manufacturer iBaby Labs responded in a blog post after this and similar reports were published
"We are aware that one online article (published February 26-27, 2020) regarding vulnerabilities in our iBaby M6S has caused concern," the first post, dated February 27, stated
"We want to reassure you that the security of your database is and has been our top priority However, we are quickly investigating these reports and validating the claims"
On February 29, that post was updated to add information about what iBaby Labs is doing to fix the problem
"We have immediately disabled the potentially compromised AWS (Amazon Web Services) credentials," iBaby Labs stated
"Additionally, we have taken several steps to enhance security, including restricting access to cloud storage
"So far, no hacks have been discovered and no sensitive information about accounts (usernames, passwords) have been affected Since there has been no data breach, your iBaby account is secure However, as a security measure, you should change your password regularly and remove inactive invited users "
"Soon we will also be releasing a firmware update that will be pushed to your device You will receive a notification when it becomes available" This will further enhance your data security
We contacted iBaby Labs again to ask if more models are affected and when the company learned of these flaws We will update this article as soon as we receive a response
Comments