Could my baby monitor get hacked?
By Lisa Galliers
Find out what happened when we investigated the privacy of three baby monitors. And advice to protect your family.
A baby monitor is a useful piece of kit to own when you have a baby, keeping an extra eye on your little one when he or she is sleeping, but is your baby monitor as secure as you think? Could it be hacked?
In our app-reliant lives, many parents may think a 'smart' baby monitor, one that turns your smartphone into a baby monitor, is the way forward. But how secure are these devices; who else could be keeping an eye on your baby?
You might have seen disturbing stories in the news reporting baby monitors being hacked by strangers who are then able to project their voice through the monitor's speaker, or of baby's images from monitors ending up on websites.
Baby monitor security probably isn't the first thing a tired new parent thinks about when setting up their latest gadget, but we think it's pretty important, especially as more and more monitors head this way. So we gave three popular wi-fi baby monitors to our technology team to do a snapshot investigation.
The three baby monitors were randomly chosen and, in our snapshot test, we assessed each for security vulnerabilities, including unencrypted data, unsecured ports and expired security certificates. The team also ran some basic tests to assess the security of admin logins and any password prompts.
This may not mean much to the average parent, but we think if you're trusting one of these devices to watch over your baby, you should know what pitfalls you could face.
Baby monitor reviews – find out which models come top in our tests.
Motorola MBP853 Connect
Test findings: We were able to see lots of SSL certificates (security certificates) used by this Motorola, which is good, and we couldn't extract any images or video streams from the data or any private information such as the monitor's location.
Results: Of the three we investigated, this was the best.
Motorola says: 'We take security extremely seriously and recognise the personal nature of data capture on baby monitors and continue to develop new products and services to ensure it's kept secure.'
MiniLand Everywhere IP
Test findings: There were no SSL certificates picked up in the data, which is bad, but it also didn't contain any images, streams or any data that gave away us or our location, which is good.
Results: We’d want to ideally see identifiable SSL certificates being used to know security was a top priority.
MiniLand says: At the time of publishing we haven't had a response to our findings from MiniLand.
Luvion Supreme Connect with Wi-Fi bridge
Test findings: We tested the Luvion Supreme Connect with the Wi-Fi bridge (purchased separately) which allows you to use the camera wirelessly. We were unable to find any SSL certificates from the data, which isn't good, and we were also able to access the admin panel of the camera by using a default login. While we tried to connect to the open port, we were unable to get past the authentication, which is at least something from a security point of view.
The Wi-Fi bridge also has an easy-to-guess default password, which is even printed in the manual. Although there is a prompt to change the password, having such an unsecure default password, along with the same for the admin login, isn't great at all.
Results: Of the three we investigated, this was the worst.
Luvion says: 'Instead of SSL, the security is based on (TTUK) proprietary encryption (AES128)... Luvion considers privacy and security as one of its top priorities. We will learn from each test, but would like to state that the encryption method chosen, is widely regarded as very safe. Further, if end-users follow the instructions in the manual to change the password there is no fair and balanced security threat on that side either...' Luvion also said ' We're strongly considering implementing an obligatory password change during the set-up...'
Which? advice on baby monitor privacy
While we were not able to get into any of the three cameras that we tested – not even the Luvion – we know there are other websites that have – for ethical or unethical reasons – published hacked feeds of unsecure cameras.
Hackers tend to crawl the web to find unsecured cameras, and then exploit them. They may do this for criminal gain, or just for kicks, either way you can protect yourself from this activity.
What can I do?
Secure Sockets Layer (SSL) certificates are essentially little data keys that lock up various digital activity, including secure connections, from prying eyes. They are used for all different types of activity, but most often in credit card transactions, data transfers and logins. You’ll know they are being used if the web address changes to HTTPS in the browser name and there's a little padlock icon.
Our security expert says baby monitors should use SSL certificates to secure the data they are transmitting, so you know it's secure, but finds that many don’t and the ones that do sometimes have old or expired certificates. Some of these could be susceptible to a 'man-in-the middle attack', where your data can be intercepted, or have known vulnerabilities or exploits.
Go for a camera that takes privacy seriously, such as the Motorola. Companies can buy secure SSL certificates from around £30 per URL, so we're not talking a big investment to make security a priority.
As we saw with the Luvion, too many cameras are shipped out with generic passwords. This means that hackers searching for open cameras don’t need to think too hard to gain access to the camera. If neither the user nor the manufacturer sets a secure password, the camera can be wide open to hijacking by hackers. Often, with both baby monitors and wireless security cameras, the user is not properly prompted to set up a password, so this is never resolved - although the Luvion did include a prompt.
Set a secure password, even if that means spending some time digging around in the menus to find the right setting. While a password is never 100% bulletproof to hacking attacks, it means that your camera isn’t low hanging fruit for the bottom feeders that trawl the internet.
Care what you share
With any device when you're opening a gateway from your life to somewhere else, care and be aware of what you share. Switch the device off when you're not using it. Don't leave it open as a little eye in the room. If you don't want to switch if off, put a piece of tape over the camera. You don't have to worry, just don't leave yourself vulnerable.
Ask about security
Don't be afraid to badger a retailer or manufacturer about the security of a device. The more people ask, the more security will become taken notice of. Demand security.
Our new baby monitor testing
Our privacy investigation was a quick snapshot of the vulnerabilities of some popular models, but with more smart baby monitors available to buy now – and many parents potentially unaware of the security issues they could be faced with – we've lined up an expert privacy lab to conducted our brand new testing on baby monitor privacy.
For any wi-fi monitor we'll test how secure they are and check for any vulnerabilities you may need to know about, such as unsecured data or weak password requirements and if any data could be intercepted.
Our revamped baby monitors testing also includes improved assessments for video picture quality, volume clarity and sound, as well as up to date range and signal strength testing.
Find out more about how we test baby monitors.