Until We Fix Our Connected Homes, Hackers Will Keep Screaming at Babies

Updated on May 4, 2014 at 1:20 PM

We proudly present this article from our partners at ReadWrite.

By Adriana Lee

It's like something out of Paranormal Activity: a young couple settled in for the night, only to be startled awake by a disembodied voice screaming at their 10-month-old baby in her bedroom.

This scene isn't from a scary movie, but the real-life drama that unfolded last week in Hebron, KY, was no less horrifying. Sometime around midnight, parents Heather and Adam Schreck said a hacker accessed the Foscam Internet camera the couple was using as a baby monitor, and yelled out, "Wake up, baby! Wake up, baby!"

Heather Schreck checked the camera through her smartphone and saw it panning around. When Adam bolted into the baby's room, it pivoted to face him and then started hurling a stream of epithets.

It's hard to say what's more unsettling — that a hacker could target a small child asleep in her bed, or that it might become a trend. The same thing happened to another Foscam customer in Texas last year.

Connecting the Threads on Connected Threats

Last August, a hacker infiltrated a wireless camera owned by the Gilbert family, living in Houston. The stranger took control of the unit and used it to scream obscenities at a 2-year-old toddler. Fortunately, the hearing-impaired child didn't have her cochlear implant turned on at the time — otherwise she would have heard the stranger yelling, "Wake up, Allyson, you little slut!"

Such attacks are particularly vile, certainly because they involve children, but also because they mar technologies intended to increase security. These devices are supposed to make us safer, but as it is right now, they wind up being our points of vulnerability.

It's tempting to blame Foscam for the security failings — after all, both the Schreck and Gilbert families used its cameras — or wonder if hackers were intentionally zeroing in on this company. But it's more likely that Foscam winds up being targeted simply because it's a popular brand: according to the company, it sells about 50,000 to 60,000 cameras each month worldwide and services millions of users.

With so many customers, even small technical issues can have major ramifications. Case in point: the failure of Foscam's software to remind users to change their default log-in. That's the likely reason the Schrecks' camera got hacked: the couple was still using the default log-in.

"[The software] didn't prompt us to change our password," Heather Schreck told me over the phone. "We didn't realize that we should do that. We have our router secured, so we thought it was safe. Foscam really needs to work on that to make it more recognizable and known that people need to change their passwords."

I contacted Foscam, which said it did update the firmware to include the prompt, along with other important security bug fixes. In fact, the company claims its software and hardware are routinely tested by security researchers, and maintains that it regularly publishes security updates.

The Schrecks, however, didn't get the new software. The reason for that is buried in the details.

Although some reports state that the Schrecks' unit was "the latest IP camera manufactured by Foscam," it actually wasn't. Heather informed me that it was actually model #FI8910W, a version that launched three years ago, and the Schrecks had been using it since little Emma was born.

"There were no hardware issues with this camera," said Foscam COO Chase Rhymes. However, he explained, that particular product debuted before the relevant security bugs were patched. Newer versions of the camera have the latest firmware preloaded, but owners of older cameras — say, older than six months — need to manually update their software for the latest updates.

Either way, users would still have to change their user names and passwords.

The Bug in This Rug

At the very least, whether prompted or not, the key takeaway for owners of Foscam devices or any other gadgets that touch the Internet is simply this: never stick with the default user name and password.

"The problem is, [default passwords are] easy for people to come up with . . . you know 'admin' or '1234.' Whatever a company's default password is," Rhymes said. "They just try one until it works." In this way, your device remains wide open to hacking for anyone that comes across it. That could be a lot of potential assailants.

Many Internet gadgets are easily discoverable via the Shodan search tool. Think of it like Google search for connected devices that hackers could use to identify potential targets. If your device shows up there — and plenty do — the last thing you want is to rely on a flimsy log-in like "admin/admin." You might as well as post a sign on your house that says, "Front door is unlocked. C'mon in."

For current customers, Foscam posted a list of tips for securing their wireless cameras, including changing log-ins and setting port forwarding on Internet routers, to make it tougher for hackers to discover your unit. The first item on the list is to update your software to get the latest security patches, especially if the cameras are more than six months old. Foscam also maintains an email list that customers can sign up with on the website. It reminds people to continuously update their software with the latest fixes and features.

Of course, no amount of patching can ever make connected devices 100 percent hackproof. That's true for Internet cameras, smart TVs, Web-enabled HVAC appliances, or anything else in a connected home. If nothing else, Heartbleed — the major security bug that caught the tech world with its pants down — taught everyone that.

Just to be clear, this Foscam camera exploit has nothing to do with Heartbleed. But they both point to an inevitable truth: any device that connects to the Internet, by its very nature, cannot be a "set it and forget it" gadget. It requires a certain amount of upkeep to ensure its integrity — even if it's just a baby monitor.

As a culture of consumers and convenience-minded end users, we may not be accustomed to this amount of maintenance. We want innovations that make our lives easier. Still, when safety matters and when those features really count, we have to be prepared to tend to our technologies, if we want them to take care of us.